[squid-users] URL access based on AD group membership

Mon Jun 20 17:57:53 UTC 2016

Hello Amos;
is there a simpler way to tackle this as I am not linux guy and not sure 
howto write any helper program which need to call.

Regards;
Nilesh Gavali

> Thanks Eliezer for reply.
> Its is working now for be perfectly with below command with -d option 
> gives helpful debug info to troubleshoot.
> 
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P 
-R 
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f 
> 
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))" 

> -h abcd.gov.in -s sub -v 3 -d
> 
> Currently I have configure squid with AD kerberos auth. also url access 
> restricted based on  AD group membership.
> 
> Now I observed, is that when I add any user to one of the AD group which 

> allowed in squid.  it is not accepting the changes until I restart the 
> squid service.

Your external_acl_type has a 1 hour response cache. Meaning it will take
a minimum of 1 hour for any changes to the AD group settings to be
passed on to Squid.

> 
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s 
> HTTP/proxy02.abcd.gov.in at ABCD.GOV.IN 
> auth_param negotiate children 10 
> auth_param negotiate keep_alive on 
> auth_param basic credentialsttl 2 hours 

NP: settings for Basic authentication do not have any affect on
non-Basic types of authentication.

There is no TTL for Kerberos user credentials. They are valid for as
long as the TCP connection to the proxy is open. Any change in the
Kerberos security tokens sent by the client after authentication is
completed will terminate/close the TCP connection.

> 
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P 
-R 
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f 
> 
"(&(objectclass=person)(userPrincipalName=%u)(memberof=cn=%g,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))" 

> -h abcd.gov.in -s sub -v 3 -d 
> 

Since your helper names were outdated 6 years ago I assume you are using
Squid-3.1 or older:
<http://www.squid-cache.org/Versions/v3/3.1/cfgman/external_acl_type.html>

Note the default values for ttl= , negative_ttl=, and grace=

Amos

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160620/46a9d3b3/attachment.html>