<div>Hello!</div><div>I found trouble in "squid version 3.5.0.4 andš<span style="font-size:12.7273px;">3.5.1</span><span style="font-size:13px;">". If user account have space in login (sAMAccountName), the check doesn't pass successful.</span></div><div>=================================================================================</div><div>Config file for NTLM authentication:</div><div><span style="font-size:13px;">auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=OFFICE</span></div><div><div>auth_param ntlm children 100 startup=25 idle=1</div><div>auth_param ntlm keep_alive on</div><div>š</div><div><span style="font-size:13px;">external_acl_type memberof children-max=200 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=office,dc=***,dc=corp" -D squidreader@office.***.corp -w ***** -f</span></div><div>"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))" -H ldap://DC2.office.***.corp -Z -d</div><div>š</div><div>cache.logš<span style="font-size:12.7273px;">for NTLM authentication:</span></div><div><div>Got NTLMSSP neg_flags=0xa2088207</div><div>Got user=[qqq qqq] domain=[OFFICE] workstation=[TERMINAL8] len1=24 len2=24</div><div>NTLMSSP Sign/Seal - Initialising with flags:</div><div>Got NTLMSSP neg_flags=0xa2088205</div><div>ext_ldap_group_acl.cc(579): pid=45705 :Connected OK</div><div>ext_ldap_group_acl.cc(718): pid=45705 :group filter '(&(objectclass=person)(sAMAccountName=qqq)(memberof=cn=Proxy-access-enable-full,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,</div><div>dc=corp))', searchbase 'dc=office,dc=***,dc=corp'</div><div>š</div><div>In NTLMš<span style="font-size:12.7273px;">authentication I see full name</span><span style="font-size:13px;">:</span></div><div><span style="font-size:12.7273px;">Got user=[qqq qqq] domain=[OFFICE] workstation=[TERMINAL8] len1=24 len2=24</span></div><div>š</div><div><span style="font-size:12.7273px;">But in ext_ldap_group_acl I seeš</span>shortened name<span style="font-size:12.7273px;">:</span></div><div><span style="font-size:12.7273px;">(sAMAccountName=qqq)</span><span style="font-size:12.7273px;"></span></div><div>š</div><div><span style="font-size:12.7273px;">and I get message "access denied".</span></div><div><span style="font-size:12.7273px;">=================================================================================</span><span style="font-size:12.7273px;"></span></div><div><span style="font-size:12.7273px;">Config file for K</span>erberousš<span style="font-size:12.7273px;">authentication:</span></div><div><div>auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.office.***.corp@OFFICE.***.CORP -i</div><div>auth_param negotiate children 200 startup=10 idle=1</div><div>auth_param negotiate keep_alive on</div><div>š</div><div><div style="font-size:12.7273px;"><span style="font-size:13px;">external_acl_type memberof children-max=200 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=office,dc=***,dc=corp" -D squidreader@office.***.corp -w ***** -f</span></div><div style="font-size:12.7273px;">"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))" -H ldap://DC.office.***.corp -Z -d</div></div><div style="font-size:12.7273px;">š</div></div><div><span style="font-size:12.7273px;">cache.logš</span><span style="font-size:12.7273px;">forš</span><span style="font-size:12.7273px;">K</span><span style="font-size:12.7273px;">erberousš</span><span style="font-size:12.7273px;">authentication:</span><span style="font-size:12.7273px;"></span></div><div><div>2015/01/19 12:19:26| negotiate_kerberos_auth: INFO: User Steven%20Paul%20Jobs@OFFICE.***.CORP authenticated</div><div>ext_ldap_group_acl.cc(579): pid=46221 :Connected OK</div><div>ext_ldap_group_acl.cc(718): pid=46221 :group filter '(&(objectclass=person)(sAMAccountName=Steven)(memberof=cn=Proxy-access-enable-full,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))', searchbase 'dc=office,dc=***,dc=corp'</div><div style="font-size:12.7273px;">š</div><div style="font-size:12.7273px;"><div style="font-size:12.7273px;">Inš<span style="font-size:12.7273px;">K</span><span style="font-size:12.7273px;">erberousš</span><span style="font-size:12.7273px;">authentication I see full name</span><span style="font-size:13px;">:</span></div><div style="font-size:12.7273px;"><span style="font-size:12.7273px;">User Steven%20Paul%20Jobs@OFFICE.***.CORP authenticated</span></div><div style="font-size:12.7273px;">š</div><div style="font-size:12.7273px;"><span style="font-size:12.7273px;">But in ext_ldap_group_acl I seeš</span>shortened name<span style="font-size:12.7273px;">:</span></div><div style="font-size:12.7273px;"><span style="font-size:12.7273px;">(sAMAccountName=Steven)</span><span style="font-size:12.7273px;"></span></div><div style="font-size:12.7273px;">š</div><div style="font-size:12.7273px;"><span style="font-size:12.7273px;">and I get message "access denied".</span></div></div></div><div><span style="font-size:12.7273px;">=================================================================================</span><span style="font-size:12.7273px;"></span></div><div style="font-size:12.7273px;">Also I tried to add/delete in command "<span style="font-size:12.7273px;">external_acl_type" the parameter "</span><span style="font-size:12.7273px;">protocol</span><span style="font-size:12.7273px;">" but it doesn't help.</span></div><div style="font-size:12.7273px;"><span style="font-size:13px;">protocol=3.0</span></div></div></div><div><div>protocol=2.5</div><div><span style="font-size:12.7273px;">=================================================================================</span></div><div>What to do? How this can be fixed?</div><div>š</div><div><div>Best regards,</div><div>Misha!</div></div></div>