[squid-users] ext_ldap_group_acl not working

L.P.H. van Belle belle at bazuin.nl
Mon Feb 1 15:40:43 UTC 2016 

Try this format : 

 

 

external_acl_type ldap_search ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl \

    -R -b "ou=User,dc=YOUR,dc=DNSDOM,dc=TLD" \

    -f "(&(samaccountname=%v)(memberof=cn=%a,ou=Groups,ou=Users,dc=YOUR,dc=DNSDOM,dc=TLD))" \

    -D AD-bind-user at YOURREALM \

    -W /etc/squid/private/ldap-bind \

    -K \

    -h addc2.internald.domain.tld \

    -h addc1.internald.domain.tld

 

 

And for the kerberos auth. 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN

 

These should work, they did for me for squid 3.4.8+  

 

Or ( tested as of 3.5.10 ) 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/prxy1.internal.domain.tld at YOURREALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

Greetz, 

 

 

 

> -----Oorspronkelijk bericht-----

> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens

> alesironi

> Verzonden: maandag 1 februari 2016 15:22

> Aan: squid-users at lists.squid-cache.org

> Onderwerp: Re: [squid-users] ext_ldap_group_acl not working

> 

> L.P.H. van Belle wrote

> > Just a question..

> >

> > You are using debian,  i did say..

> >

> > chmod root:proxy ( proxy is the default squid user in debian )

> >

> > i see..

> > chown root:squid /etc/squid3/ldappass.txt

> >

> > try again with

> > chown root:proxy /etc/squid3/ldappass.txt

> >

> > Greetz,

> >

> > Louis

> 

> It was probably my typo, anyway I reconfigured as you said again.

> Same result. If I use SUDO (or if I configure to use the password in

> clear)

> it proceeds, but with the same error: invalid request: No Username

> 

> Looks like an error in the syntax I used....

> 

> 

> 

> 

> 

> --

> View this message in context: http://squid-web-proxy-

> cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-

> tp4675816p4675826.html

> Sent from the Squid - Users mailing list archive at Nabble.com.

> _______________________________________________

> squid-users mailing list

> squid-users at lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160201/69f85cb6/attachment.html>

More information about the squid-users mailing list