[squid-users] benefits of using ext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl
Markus Moeller
huaraz at moeller.plus.com
Mon Feb 9 21:44:45 UTC 2015
>>> "Amos Jeffries" wrote in message news:54BE3B5C.8040800 at
>>> treenet.co.nz...
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
>>>> Are there any other benefits in using ext_kerberos_ldap_group_acl
>>>> instead of ext_ldap_group_acl except the "Netbios name to Kerberos
>>>> domain name” mappings provided by the -N option. As far as I can
>>>> tell, this mapping can also easily be done by writing you own
>>>> helper perl script which is doing the mapping and finally feeds the
>>>> more common ext_ldap_group_acl helper.
>>>>
>>>
>>> Whatever floats your boat. The point of the Addon/Plugin/helpers API
>>> is that you can use scripts if thy serve your needs better.
>>>
>>> All the usual Open Source benefits of "many eyeballs" and somebody
>>> else doing code maintenance for you applies to using a bundled helper
>>> over a custom written one.
>>>
>>> Beyond that the kerberos helper also provides automatic detection of
>>> which LDAP server to use via mutiple auto-configuration methods.
>>>
>>
>> The idea of the helper was to automate most of the configuration (
>> ignoring
>> some performance ) and avoid using a username/password, support users
>> from
>> multiple domains. Secondly I wanted check for nested groups which was
>> not
>> available in the existing helper and thirdly I also check now against
>> the
>> primary group of the user.
>>
>
>Thank you Markus for your explanations. I played around with
>ext_kerberos_ldap_group_acl and would like to go into some details:
>
>1) it is possible to define more than one LDAP server (e.g. for high
>availability reasons)? The -l parameter allows only one ldap url while
>-S allows several "server > realm" - mappings.
>
I didn't see the need. The -l was more for cases when digest or basic auth
is used and I do not know the domain to check against. So a fallback
option.
>2) It is correct, that compared to ext_ldap_group_acl,
>ext_kerberos_ldap_group_acl does not require a groupname as input (from
>stdin), because -g -t -T or -D control the group name?!
>
You have two options with ext_kerberos_ldap_group_acl as input or as -g ..
control
>3) What is the use case for defining -g GROUP@? What is the difference
>to -g GROUP (without @)
>
-g GROUP is for all users including the once with nor provided domain
The an pages describe it a bit under Note:
1) For user at REALM
a) Query DNS for SRV record _ldap._tcp.REALM
b) Query DNS for A record REALM
c) Use LDAP_URL if given
2) For user
a) Use domain -D REALM and follow step 1)
b) Use LDAP_URL if given
The Groups to check against are determined as follows:
1) For user at REALM
a) Use values given by -g option which contain a @REALM e.g. -g
GROUP1 at REALM:GROUP2 at REALM
b) Use values given by -g option which contain a @ only e.g. -g
GROUP1@:GROUP2@
c) Use values given by -g option which do not contain a realm e.g.
-g GROUP1:GROUP2
2) For user
a) Use values given by -g option which do not contain a realm e.g.
-g GROUP1:GROUP2
3) For NDOMAIN\user
a) Use realm given by -N NDOMAIN at REALM and then use values given by
-g option which contain a @REALM e.g. -g GROUP1 at REALM:GROUP2 at REALM
>4) The "query DNS for SRV record _ldap._tcp.REALM" mechanism seems no to
>work for me although the DNS server is configured correctly and querying
>with "dig SRV _ldap._tcp.REALM" works fine. Anything to consider here?
>_ldap._tcp.REALM SRV query was never sent so far.
>
I would not see an obvious reason. Does -d show any hints ? I can only
imagine that REAM is not what is send by the client.
>5) Similar issues with the Kerberos feature. Keytab und Kerberos config
>are available and exported, but the helper only says:
>support_ldap.cc(888): DEBUG: Setup Kerberos credential cache
>support_ldap.cc(897): DEBUG: Kerberos is not supported. Use
>username/password with ldap url instead
>
The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means
your Kerberos installation is not fully available. It means HAVE_KRB5 is not
set ( maybe header files were missing).
>Instead of that I found a dns SRV _kerberos._udp.REALM query which was
>actually answered by the dns. I assume this is related to the Kerberos
>feature?
yes it is. It is a way to find the kdc.
>
>6) It is possible to use the helper when DNS service is not reachable?
>Got some error messages during testing:
>
>kerberos_ldap_group: DEBUG: Canonicalise ldap server name
>213.156.236.111:3268
>kerberos_ldap_group: ERROR: Error while resolving ip address with
>getnameinfo: Temporary failure in name resolution
>kerberos_ldap_group: DEBUG: Error during initialisation of ldap
>connection: Success
>
If you add a line to your hosts file and use the approriate nsswitch.conf it
should work. You can also add a line to the hosts file for the domain for
the case the SRV record fails.
>Beside this tiny issues the helper works excellent (tested with basic,
>NTLM and Kerberos authentication). I am just trying to discover the
>whole potential. Thank you very much for any responses.
>
>Regards
>Simon
>
Regards
Markus
>>> If you can demonstrate that the ext_kerberos_ldap_group_acl does
>>> provides a superset of the functionality of ext_ldap_group_acl helper
>>> then I can de-duplicate the two helpers.
>>>
>>> Amos
>>
>> Regards
>> Markus
>
More information about the squid-users
mailing list