[squid-users] Simple ACL help for Kerberos authenticated sessions

Markus Moeller huaraz at moeller.plus.com
Tue Aug 8 19:11:33 UTC 2017 

Hi,

    When using the latest squid 4 release you can use  %note{group} to get 
the group information from the Negotiate Kerberos helper to transfer the PAC 
group SIDs to the external ACL helper.

squid.conf

...
external_acl_type test_acl ipv4 %LOGIN %note{group} 
/opt/squid-trunk/sbin/test_acl
acl squid_allow external test_acl
...

The helper script will initially look for the objectsid of the group 
SQUID_ALLOW (i.e. it will be only called when the helper is started and 
never again - good for performance).  After that the SIDs from the Kerberos 
PAC information is compared with the previously retrieved SID from AD.


#!/bin/bash
#
# GET SID for Group
#
export KRB5CCNAME=/tmp/squid_krb5cc
kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home
SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b 
"DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0 
~/^object/ ) print $2}'`

(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID")

#
# Loop over input
#
while [ 1 == 1 ] ; do
  read input
  found=0
  user=`echo $input | awk '{ print $1 }'`
  groups=`echo $input | awk '{ print $2 }'`
  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user")
  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups")
  if [ -n "$groups" ]; then
    while read group; do
      if [ "$group" == "$SID" ]; then
        (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group: 
$group")
        found=1
        echo "OK"
      fi
    done <<< "$(echo $groups | tr , "\n" )"
    if [ $found -eq 0 ]; then
      echo "ERR"
    fi
  else
    if [ $found -eq 0 ]; then
      echo "ERR"
    fi
  fi
done

Example log from the cache.log file


2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl' 
processes
2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed.
2017/08/08 20:02:23 kid1| Starting new test_acl helpers...
2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl' 
processes
2017/08/08 20:02:24| test_ACL: SID=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: user=Administrator at SAMBA.HOME
2017/08/08 20:02:24| test_ACL: 
groups=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVCAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVPAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBwIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBgIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVAAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group: 
AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==


Regards
Markus

More information about the squid-users mailing list