[squid-users] benefits of using ext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl

Simon Stäheli sis at open.ch
Tue Feb 10 16:16:40 UTC 2015 

>>>> "Amos Jeffries"  wrote in message news:54BE3B5C.8040800 at
>>>> treenet.co.nz...
>>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
>>>>> Are there any other benefits in using ext_kerberos_ldap_group_acl
>>>>> instead of ext_ldap_group_acl except the "Netbios name to Kerberos
>>>>> domain name” mappings provided by the -N option. As far as I can
>>>>> tell, this mapping can also easily be done by writing you own
>>>>> helper perl script which is doing the mapping and finally feeds the
>>>>> more common ext_ldap_group_acl helper.
>>>>> 
>>>> Whatever floats your boat. The point of the Addon/Plugin/helpers API
>>>> is that you can use scripts if thy serve your needs better.
>>>> 
>>>> All the usual Open Source benefits of "many eyeballs" and somebody
>>>> else doing code maintenance for you applies to using a bundled helper
>>>> over a custom written one.
>>>> 
>>>> Beyond that the kerberos helper also provides automatic detection of
>>>> which LDAP server to use via mutiple auto-configuration methods.
>>>> 
>>> The idea of the helper was to automate most of the configuration (
>>> ignoring
>>> some performance ) and avoid using a username/password, support users
>>> from
>>> multiple domains. Secondly I wanted check for nested groups which was
>>> not
>>> available in the existing helper and thirdly I also check now against
>>> the
>>> primary group of the user.
>>> 
>> Thank you Markus for your explanations. I played around with
>> ext_kerberos_ldap_group_acl and would like to go into some details:
>> 
>> 1) it is possible to define more than one LDAP server (e.g. for high
>> availability reasons)? The -l parameter allows only one ldap url while
>> -S allows several "server > realm" - mappings.
>> 
> I didn't see the need.  The -l was more for cases when digest or basic auth 
> is used and I do not know the domain to check against.  So a fallback 
> option.
My idea was to have a backup ldap / active directory server. Assumed querying _ldap._tcp.REALM returns 3 ldap servers. Are all 3 ldap servers queried successively if a previous is not reachable? And is server defined by the -l parameter being queried if all '_ldap._tcp.REALM' are not reachable?
> 
> 
>> 2) It is correct, that compared to ext_ldap_group_acl,
>> ext_kerberos_ldap_group_acl does not require a groupname as input (from
>> stdin), because -g -t -T or -D control the group name?!
>> 
> You have two options with ext_kerberos_ldap_group_acl  as input or as -g .. 
> control
Thx, very helpful.
> 
>> 3) What is the use case for defining -g GROUP@? What is the difference
>> to -g GROUP (without @)
>> 
> -g GROUP is for all users including the once with nor provided domain
Thx, this is clear now as well
> 
> The an pages describe it a bit under Note:
> 
> 1) For user at REALM
>    a) Query DNS for SRV record _ldap._tcp.REALM
>    b) Query DNS for A record REALM
>    c) Use LDAP_URL if given
> 
> 2) For user
>    a) Use domain -D REALM and follow step 1)
>    b) Use LDAP_URL if given
> 
> The Groups to check against are determined as follows:
> 
> 1) For user at REALM
>    a)  Use  values  given  by -g option which contain a @REALM e.g. -g
> GROUP1 at REALM:GROUP2 at REALM
>    b) Use values given by -g option which contain a  @  only  e.g.  -g
> GROUP1@:GROUP2@
>    c)  Use values given by -g option which do not contain a realm e.g.
> -g GROUP1:GROUP2
> 
> 2) For user
>    a) Use values given by -g option which do not contain a realm  e.g.
> -g GROUP1:GROUP2
> 
> 3) For NDOMAIN\user
>    a) Use realm given by -N NDOMAIN at REALM and then use values given by
> -g option which contain a @REALM e.g. -g GROUP1 at REALM:GROUP2 at REALM
> 
> 
> 
>> 4) The "query DNS for SRV record _ldap._tcp.REALM" mechanism seems no to
>> work for me although the DNS server is configured correctly and querying
>> with "dig SRV _ldap._tcp.REALM" works fine. Anything to consider here?
>> _ldap._tcp.REALM SRV query was never sent so far.
>> 
> I would not see an obvious reason.   Does -d show any hints ?  I can only 
> imagine that REAM is not what is send by the client.
It think I do not fully understand how the determination of the ldap server works. How is the dns query for SRV _ldap._tcp.REALM related to the missing Kerberos configuration? Why does the helper need the principal from the keytab? I am also a bit confused about the _ldap._tcp and the _kerberis._tcp queries. Can you give me an idea how this determination works step for step?
> 
>> 5) Similar issues with the Kerberos feature. Keytab und Kerberos config
>> are available and exported, but the helper only says:
>> support_ldap.cc(888): DEBUG: Setup Kerberos credential cache
>> support_ldap.cc(897): DEBUG: Kerberos is not supported. Use
>> username/password with ldap url instead
>> 
> The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means 
> your Kerberos installation is not fully available. It means HAVE_KRB5 is not 
> set ( maybe header files were missing).
> 
>> Instead of that I found a dns SRV _kerberos._udp.REALM query which was
>> actually answered by the dns. I assume this is related to the Kerberos
>> feature?
> yes it is. It is a way to find the kdc.
> 
>> 6) It is possible to use the helper when DNS service is not reachable?
>> Got some error messages during testing:
>> 
>> kerberos_ldap_group: DEBUG: Canonicalise ldap server name
>> 213.156.236.111:3268
>> kerberos_ldap_group: ERROR: Error while resolving ip address with
>> getnameinfo: Temporary failure in name resolution
>> kerberos_ldap_group: DEBUG: Error during initialisation of ldap
>> connection: Success
>> 
> If you add a line to your hosts file and use the approriate nsswitch.conf it 
> should work.  You can also add a line to the hosts file for the domain for 
> the case the SRV record fails.
Thx for the hint regarding nsswitch.conf
> 
>> Beside this tiny issues the helper works excellent (tested with basic,
>> NTLM and Kerberos authentication). I am just trying to discover the
>> whole potential. Thank you very much for any responses.
>> 
>> Regards
>> Simon
>> 
> Regards
> Markus
> 
>>>> If you can demonstrate that the ext_kerberos_ldap_group_acl does
>>>> provides a superset of the functionality of ext_ldap_group_acl helper
>>>> then I can de-duplicate the two helpers.
>>>> 
>>>> Amos
>>> Regards
>>> Markus
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4030 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150210/d2723a24/attachment.bin>

More information about the squid-users mailing list