[squid-users] ntml auth

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 7 18:05:19 UTC 2018


On 08/08/18 04:59, Alex Gutiérrez Martínez wrote:
> #Hello community, I am trying to connect my squid to my AD using ntml (i
> can't use Kerberos).

Why not?


> The problem is that I have not found a way to make
> the groups I have in the AD look in the squid.
> 
> #this is my current config using ldap using basic auth
> 
> auth_param basic program / usr / lib / squid / basic_ldap_auth -P -R -b
> "dc = mi, dc = company, dc = cu" -D cn = proxy, ou = ST, dc = mi, dc =
> company, dc = cu -W /etc/squid/ldap.txt -f sAMAccountName =% s -v 3 -s
> sub -h 192.168.1.10
> external_acl_type Group% LOGIN / usr / lib / squid / ext_ldap_group_acl
> -R -b "dc = mi, dc = company, dc = cu" -D cn = proxy, ou = ST, dc = mi,
> dc = company, dc = cu -W /etc/squid/ldap.txt -f "(& (objectclass = user)
> (sAMAccountName =% u) (memberof = cn =% g, dc = mi, dc = company, dc =
> cu))" -h 192.168.1.10

NP: I hope all those spaces inside the paths and helper parameters are
an artifact from your emailer. If they exist in your config file that
could be causing problems.


> auth_param basic children 10
> auth_param basic realm apolo.mi.empresa.cu
> auth_param basic credentialsttl 2 hour
> acl basic_ldap_auth proxy_auth REQUIRED
> http_access deny! basic_ldap_auth
> 
> #from here i get 2 group
> #
> #i1 and i2
> ###########################
> acl i1 external Group Internet1
> acl i2 external Group Internet2
> 
> ####################################################################################################
> #####
> 
> #my configuration for ntml is
> 
> auth_param ntlm program / usr / bin / ntlm_auth --diagnostics
> --helper-protocol = squid-2.5-ntlmssp --domain = my.company.cu
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> auth_param ntlm credentialsttl 2 hour


"credentialsttl" is not a valid configuration setting for NTLM. All NTLM
credentials are valid for exactly and only the length the TCP connection
using them is alive.

Every new TCP connection needs its own credentials and 3-message
authentication handshake to set those up. This is part of why NTLM has
such horribly bad performance and why the default recommended config has
"keep_alive on".


> 
> 
> #What I want is to know how to use the groups that are in my active
> directory, specifically Internet1 and Internet2.
> 

You need some policy for what each group is allowed (or not allowed) to
do with the proxy. We cannot make that kind of decision for you, only
help you configure your policy to be enforced correctly.

If you don't already have any such policy then there is no point even
looking up the groups.



> #Every time I run "squid -k parse" it shows me an error in the line
> where I define the external groups.

You have a line defining a helper to lookup group names in LDAP, and two
lines defining ACL checks to test some group names.

 Which of those do you have an error with?

 and what is this error you mention?


Amos


More information about the squid-users mailing list