<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Rafael,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><br>
Thanks for your reply. Substituting userPrincipalName for sAMAccountName in both the command line and squid.conf produces an ERR:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@example.com -W /etc/squid/password -f "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))"
-h dc01.example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">tcraddock@EXAMPLE.COM Full.Access<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">ERR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">cat /etc/squid/squid.conf | grep userPrin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@example.com -W /etc/squid/password -f "(&(objectclass=person)(userPrincipalName=$)(memberof=cn=%g,ou=Some
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">cache.log:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| authenticateAuthUserAddIp: user 'tcraddock@EXAMPLE.COM' has been seen at a new IP address (172.23.5.193:57445)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| aclMatchExternal: memberof("tcraddock@EXAMPLE.COM Full.Access") = lookup needed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| aclMatchExternal: "tcraddock@EXAMPLE.COM Full.Access": entry=@0, age=0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| aclMatchExternal: "tcraddock@EXAMPLE.COM Full.Access": queueing a call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| aclMatchExternal: "tcraddock@EXAMPLE.COM Full.Access": return -1.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.190| externalAclLookup: lookup in 'memberof' for 'tcraddock@EXAMPLE.COM Full.Access'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.196| externalAclHandleReply: reply="ERR"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.196| external_acl_cache_add: Adding 'tcraddock@EXAMPLE.COM Full.Access' = 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016/04/05 17:45:24.196| aclMatchExternal: memberof = 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"> <img width="235" height="54" id="Picture_x0020_1" src="cid:image001.png@01D18F63.7882B020" alt="cid:E16BB7E4-AAA7-4D07-803E-E39F6201D081"></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black">Tommy E CRADDOCK JR<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black">Systems Admin</span></b><b><span style="font-family:"Century Gothic","sans-serif";color:black"><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:black">BIC Advertising & Promotional Products<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:black">14421 Myer Lake Circle<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:black">Clearwater, FL 33760<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:black">727-507-3080<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:black">tommy.craddock@bicgraphic.com<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Century Gothic","sans-serif";color:#1F497D"><br>
</span></b><span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:#1F497D"><a href="http://www.bicgraphic.com/"><span style="color:blue">www.bicgraphic.com</span></a></span><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"><img border="0" width="314" height="63" id="Picture_x0020_2" src="cid:image002.png@01D18F63.7882B020" alt="cid:37DF6999-C959-46F8-BA13-A4CFA37F691F"></span><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7A7A7A">CONFIDENTIALITY NOTICE</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">This electronic message is confidential and may contain legally privileged information intended only for the use of the individual or company named above. </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby
notified </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">that any dissemination, distribution or copying of this communications is strictly prohibited. If you have received this communication in error, please
immediately </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">notify us by telephone, and return the original message to us at the address above</span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Rafael Akchurin [mailto:rafael.akchurin@diladele.com]
<br>
<b>Sent:</b> Tuesday, April 05, 2016 5:25 PM<br>
<b>To:</b> Craddock, Tommy; squid-users@lists.squid-cache.org<br>
<b>Subject:</b> RE: External ACL Lookup<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Hello Tommy,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP filter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The squid logs indicate the user is authenticated as
<a href="mailto:tcraddock@EXAMPLE.COM">tcraddock@EXAMPLE.COM</a> which is *<b>not</b>* in sAMAccountName for sure.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Rafael Akchurin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Diladele B.V. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="http://www.quintolabs.com">http://www.quintolabs.com</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="http://www.diladele.com">http://www.diladele.com</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Please take a look at Web Safety - our ICAP based web filter server for Squid proxy at
<a href="http://www.diladele.com">http://www.diladele.com</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> squid-users [<a href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>]
<b>On Behalf Of </b>Craddock, Tommy<br>
<b>Sent:</b> Tuesday, April 5, 2016 11:16 PM<br>
<b>To:</b> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> [squid-users] External ACL Lookup<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello, <o:p></o:p></p>
<p class="MsoNormal"><br>
Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD. I can test from the command line:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D
<a href="mailto:Squid@example.com">Squid@example.com</a> -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com<o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:tcraddock@EXAMPLE.COM">tcraddock@EXAMPLE.COM</a> Full.Access<o:p></o:p></p>
<p class="MsoNormal">OK<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In the cache.log w/debug set to ALL,3:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)<o:p></o:p></p>
<p class="MsoNormal">GETTING KERB TOKEN…..<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcraddock@EXAMPLE.COM' has been seen at a new IP address (172.23.5.193:56059)<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| aclMatchExternal: memberof("<a href="mailto:tcraddock@EXAMPLE.COM%20Full.Access">tcraddock@EXAMPLE.COM Full.Access</a>") = lookup needed<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| aclMatchExternal: "<a href="mailto:tcraddock@EXAMPLE.COM%20Full.Access">tcraddock@EXAMPLE.COM Full.Access</a>": entry=@0, age=0<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| aclMatchExternal: "<a href="mailto:tcraddock@EXAMPLE.COM%20Full.Access">tcraddock@EXAMPLE.COM Full.Access</a>": queueing a call.<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| aclMatchExternal: "<a href="mailto:tcraddock@EXAMPLE.COM%20Full.Access">tcraddock@EXAMPLE.COM Full.Access</a>": return -1.<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcraddock@EXAMPLE.COM Full.Access'<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcraddock@EXAMPLE.COM Full.Access' = 0<o:p></o:p></p>
<p class="MsoNormal">2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In the file referenced in the ACLs:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt"<o:p></o:p></p>
<p class="MsoNormal">acl FullAccess external memberof "/etc/squid/full_access.txt"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">it has:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">cat /etc/squid/full_access.txt<o:p></o:p></p>
<p class="MsoNormal">Full.Access<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">cat /etc/squid/restricted_access.txt<o:p></o:p></p>
<p class="MsoNormal">Restricted.Access<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Info about my setup:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[root@clwslprox01p squid]# squid -v<o:p></o:p></p>
<p class="MsoNormal">Squid Cache: Version 3.1.23<o:p></o:p></p>
<p class="MsoNormal">configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations'
'--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
--with-squid=/builddir/build/BUILD/squid-3.1.23<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[root@clwslprox01p squid]# cat /etc/redhat-release<o:p></o:p></p>
<p class="MsoNormal">Red Hat Enterprise Linux Server release 6.7 (Santiago)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD. Windows AD is 2008 and 2012 in my env.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Squid.conf:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### cache manager<o:p></o:p></p>
<p class="MsoNormal">cache_mgr <a href="mailto:pclan@example.com">pclan@example.com</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Define the cache_peer to be used<o:p></o:p></p>
<p class="MsoNormal"># cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest<o:p></o:p></p>
<p class="MsoNormal"># cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest<o:p></o:p></p>
<p class="MsoNormal"> cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest<o:p></o:p></p>
<p class="MsoNormal"># cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest<o:p></o:p></p>
<p class="MsoNormal"># cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### negotiate kerberos and ntlm authentication<o:p></o:p></p>
<p class="MsoNormal">auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access –kerberos /usr/lib64/squid/squid_kerb_auth
-d -s GSS_C_NO_NAME<o:p></o:p></p>
<p class="MsoNormal">auth_param negotiate children 10<o:p></o:p></p>
<p class="MsoNormal">auth_param negotiate keep_alive off<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### pure ntlm authentication<o:p></o:p></p>
<p class="MsoNormal">auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access<o:p></o:p></p>
<p class="MsoNormal">auth_param ntlm children 30<o:p></o:p></p>
<p class="MsoNormal">auth_param ntlm keep_alive off<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm<o:p></o:p></p>
<p class="MsoNormal">auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D
<a href="mailto:Squid@EXAMPLE.COM">Squid@EXAMPLE.COM</a> -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM<o:p></o:p></p>
<p class="MsoNormal">auth_param basic children 10<o:p></o:p></p>
<p class="MsoNormal">auth_param basic realm Internet Proxy<o:p></o:p></p>
<p class="MsoNormal">auth_param basic credentialsttl 1 minute<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### ldap authorisation<o:p></o:p></p>
<p class="MsoNormal">external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D
<a href="mailto:Squid@EXAMPLE.COM">Squid@EXAMPLE.COM</a> -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### acl for proxy auth and ldap authorizations<o:p></o:p></p>
<p class="MsoNormal">acl our_networks src 172.16.0.0/12 10.0.0.0/8 192.170.0.0/24<o:p></o:p></p>
<p class="MsoNormal">acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8<o:p></o:p></p>
<p class="MsoNormal">acl auth proxy_auth REQUIRED<o:p></o:p></p>
<p class="MsoNormal">acl HEAD method HEAD<o:p></o:p></p>
<p class="MsoNormal">acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt"<o:p></o:p></p>
<p class="MsoNormal">acl FullAccess external memberof "/etc/squid/full_access.txt"<o:p></o:p></p>
<p class="MsoNormal">acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt"<o:p></o:p></p>
<p class="MsoNormal">acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt"<o:p></o:p></p>
<p class="MsoNormal">acl local-servers dstdomain "/etc/squid/acls/localservers.txt"<o:p></o:p></p>
<p class="MsoNormal">acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt"<o:p></o:p></p>
<p class="MsoNormal">acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt"<o:p></o:p></p>
<p class="MsoNormal">acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt"<o:p></o:p></p>
<p class="MsoNormal">acl blocksites dstdomain "/etc/squid/acls/block_sites.txt"<o:p></o:p></p>
<p class="MsoNormal">acl DIRECT src "/etc/squid/acls/direct_src_ip.txt"<o:p></o:p></p>
<p class="MsoNormal">acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt"<o:p></o:p></p>
<p class="MsoNormal">acl Smartconnect dstdomain ned.webscanningservice.com<o:p></o:p></p>
<p class="MsoNormal">acl Java browser Java/[0-9]<o:p></o:p></p>
<p class="MsoNormal">acl JavaSites dstdomain .gotomeeting.com<o:p></o:p></p>
<p class="MsoNormal">always_direct allow INTERNAL<o:p></o:p></p>
<p class="MsoNormal">always_direct allow local-servers<o:p></o:p></p>
<p class="MsoNormal">cache deny INTERNAL<o:p></o:p></p>
<p class="MsoNormal">cache deny local-servers<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">### squid defaults<o:p></o:p></p>
<p class="MsoNormal">acl manager proto cache_object<o:p></o:p></p>
<p class="MsoNormal">acl localhost src 127.0.0.1/32 ::1<o:p></o:p></p>
<p class="MsoNormal">acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1<o:p></o:p></p>
<p class="MsoNormal">acl SSL_ports port 443 563 33808<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 80 # http<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 21 # ftp<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 443 563 # https<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 70 # gopher<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 210 # wais<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 1025-65535 # unregistered ports<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 280 # http-mgmt<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 488 # gss-http<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 591 # filemaker<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 777 # multiling http<o:p></o:p></p>
<p class="MsoNormal">#allow custom ports<o:p></o:p></p>
<p class="MsoNormal">acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 8200 # gotomeeting<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 31303 33808 # TD Merchant<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 8443 # Symantec SEP Manager<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 8014 # Symantec SEPM Client<o:p></o:p></p>
<p class="MsoNormal">acl SSL_ports port 9443 # pingdevfed<o:p></o:p></p>
<p class="MsoNormal">acl SSL_ports port 9444 # pingdevfed<o:p></o:p></p>
<p class="MsoNormal">acl SSL_ports port 5443 # pingdev<o:p></o:p></p>
<p class="MsoNormal">acl CONNECT method CONNECT<o:p></o:p></p>
<p class="MsoNormal">http_access allow manager localhost<o:p></o:p></p>
<p class="MsoNormal">http_access deny manager<o:p></o:p></p>
<p class="MsoNormal">http_access deny !Safe_ports<o:p></o:p></p>
<p class="MsoNormal">http_access deny CONNECT !SSL_ports<o:p></o:p></p>
<p class="MsoNormal">#http_access deny !memberof<o:p></o:p></p>
<p class="MsoNormal">http_access allow localhost<o:p></o:p></p>
<p class="MsoNormal">http_access allow HEAD<o:p></o:p></p>
<p class="MsoNormal">http_access deny !our_networks<o:p></o:p></p>
<p class="MsoNormal">http_access allow Smartconnect<o:p></o:p></p>
<p class="MsoNormal">http_access deny blocksites all<o:p></o:p></p>
<p class="MsoNormal">http_access allow Approved_Domains<o:p></o:p></p>
<p class="MsoNormal">http_access deny RestrictedHost all<o:p></o:p></p>
<p class="MsoNormal">http_access allow FullAccess auth<o:p></o:p></p>
<p class="MsoNormal">http_access allow Java<o:p></o:p></p>
<p class="MsoNormal">http_access allow WindowsUpdate<o:p></o:p></p>
<p class="MsoNormal">http_access allow bypass_auth<o:p></o:p></p>
<p class="MsoNormal">http_access allow bypass_auth-external<o:p></o:p></p>
<p class="MsoNormal">http_access allow goto_meeting<o:p></o:p></p>
<p class="MsoNormal">http_access allow our_networks all<o:p></o:p></p>
<p class="MsoNormal">http_access allow Java our_networks JavaSites<o:p></o:p></p>
<p class="MsoNormal">http_access allow auth<o:p></o:p></p>
<p class="MsoNormal">http_access deny !auth<o:p></o:p></p>
<p class="MsoNormal">http_access deny all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">deny_info error-blocksites blocksites<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Logs to look like apache<o:p></o:p></p>
<p class="MsoNormal">emulate_httpd_log on<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Level of Log debugging<o:p></o:p></p>
<p class="MsoNormal">debug_options ALL,1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Log file locations<o:p></o:p></p>
<p class="MsoNormal">cache_log /var/log/squid/cache.log<o:p></o:p></p>
<p class="MsoNormal">access_log /var/log/squid/access.log<o:p></o:p></p>
<p class="MsoNormal">useragent_log /var/log/squid/useragent.log<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Hostname shown in error pages<o:p></o:p></p>
<p class="MsoNormal">visible_hostname proxy01p<o:p></o:p></p>
<p class="MsoNormal">http_port 3128<o:p></o:p></p>
<p class="MsoNormal">hierarchy_stoplist cgi-bin ?<o:p></o:p></p>
<p class="MsoNormal">coredump_dir /var/spool/squid<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern ^ftp: 1440 20% 10080<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern ^gopher: 1440 0% 1440<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<o:p></o:p></p>
<p class="MsoNormal">refresh_pattern . 0 20% 4320<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Century Gothic","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7A7A7A">CONFIDENTIALITY NOTICE</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">This electronic message is confidential and may contain legally privileged information intended only for the use of the individual or company named above. </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby
notified </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">that any dissemination, distribution or copying of this communications is strictly prohibited. If you have received this communication in error, please
immediately </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.0pt;font-family:"Century Gothic","sans-serif";color:#7F7F7F">notify us by telephone, and return the original message to us at the address above</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit </span><a href="http://www.symanteccloud.com"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">http://www.symanteccloud.com</span></a><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
______________________________________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<o:p></o:p></span></p>
</div>
</body>
</html>