[squid-users] LDAP acl groups

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 25 23:18:18 UTC 2017


On 26/01/2017 4:28 a.m., Leonardo Bacha Abrantes wrote:
> Hi guys,
> 
> I have an active directory running on windows server 2008 r2 and squid
> (version 3.5.20 - CentOS 7) authenticating via LDAP (without kerberos).
> The ldap authentication is working, the trouble is to create ACLs based on
> active directory groups.
> 
> 
> OBS: When I run both basic_ldap_auth and ext_ldap_group_acl commands
> manually as squid user in console to test, I receive 'OK' as answer.
> 
> 
> --->>> My squid.conf:
> 
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -P -R -b
> ou=Users,ou=city,ou=country,dc=company,dc=local -D
> CN=bindUser,DC=company,DC=local -W PasswdFile -f sAMAccountName=%s -h
> 192.168.1.9
> auth_param basic children 10
> auth_param basic realm XXXXX
> auth_param basic credentialsttl 10 minutes
> 
> external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R
> -b OU=city,OU=country,DC=company,DC=local -D
> CN=bindUser,DC=company,DC=local -W PasswdFile -h 192.168.1.9 -f
> '(&(objectClass=person)(sAMAccountName=%v)(memberOf=CN=%a,OU=Groups,OU=city,OU=country,dc=company,dc=local))'
> 
> #Also tried memberOf=CN=%*g*
> 
> acl fullaccess  external memberof squid_fullaccess
> 
> acl LdapUsers proxy_auth REQUIRED
> http_access allow fullaccess LdapUsers


Two things that you really NEED to know:

1) Order is important.
<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>

So the http_access line you are using tells Squid to check the group and
only for members of the group is authentication to be performed.

How exactly do you expect Squid to know what user to check the groups
for *before* authentication has happened?


2) the popup is a browser decision.

All Squid is doing is telling the browser that credentials are needed to
use the proxy, and what types it can accept. If the browser were
properly doing its SSO the popup would not happen. There is nothing we
can do about that.


What you should do is deny non-authenticated users and only then check
the groups for people who have authenticated:

 http_access deny !LdapUsers
 http_access allow fullaccess

If the popup still occurs, then consder whether the browser was supposed
to have the right credentials to begin with (ie. registered to the AD
domin controller). If it does why is it not sending them instead of
doing the popup.


Amos



More information about the squid-users mailing list