[squid-users] Squid 3.5.1 NTLM and LDAP

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 12 08:49:56 UTC 2015


On 12/02/2015 1:35 a.m., Rich549 wrote:
> *Ok, I've made all of the advised changes and it still didn't work.
> 
> I've just tried pasting my helper command into command prompt and it just
> seems to hang.  I tried the following:*
> 


The helper takes -b string as the base DN and appends the dynamic -f
string to it.

You have configured this as the ACL test:

  # Allow Members of Internet Users To Anywhere Not Explicitly Denied
  acl InetAllow external internet_domain_group Internet_Users


So the "Internet_Users" is the name of the group being checked for using
the internet_domain_group helper. %g will always be "Internet_Users"
when testing this ACL, %u will change with each user login as its their
username value.


> -----
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -S -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f  %g=Internet_Users -h
> srvham09.domain-uk.com
> 

That queries server srvham09.domain-uk.com for:

  ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users=Internet_Users


> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -S -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f Internet_Users -h
> srvham09.domain-uk.com

That queries server srvham09.domain-uk.com for:

  ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users


> 
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f %u "Internet_Users" -h
> srvham09.domain-uk.com


-f only takes one argument so that queries servers Internet_Users and
srvham09.domain-uk.com for:

  ou=Domain_Groups,dc=domain-uk,dc=com,<username>

> 
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -b
> ou=Domain_Groups,dc=domain-uk,dc=com -f %u %g=Internet_Users -h
> srvham09.domain-uk.com

-f only takes one argument so that queries servers %g=Internet_Users and
srvham09.domain-uk.com for:

  ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users=Internet_Users


> 
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -v 2 -d -b
> ou=Domain_Groups,dc=domain-uk,dc=com -f Internet_Users -h
> srvham09.domain-uk.com


That queries server srvham09.domain-uk.com using LDAPv2 for:

  ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users



Do any of the above LDAP syntaxes look right to you?
I suspect you want some code like ou=%g in the filter.


Only you know what the actual AD directory structure is, and I'm not
very clued up on what the LDAP kv-pairs mean sorry. So that is just a
guess that I hope will point you in the right direction.


> -----
> 
> *I'm also seeing the following in the cache.log each time I try to access a
> webpage as a user who is a member of Internet_Users, is this anything to be
> concerned about?*
> ----
> 2015/02/11 12:21:47 kid1| helperOpenServers: Starting 1/80 'ntlm_fake_auth'
> processes

Squid starts helpers incrementally as they are needed nowdays. You can
expect 80 of those mostly when you restart Squid. Messages about dying
helpers are the sign of problems.


> 2015/02/11 12:21:47 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument

Thats okay, I think. Squid is attempting to drop security privileges but
can't. Some OS seem to do it automatically then complain when its done
explicitly.

> ----
> 
> *And now, just to top things off I have errors in the cache.log stating:*
> 
> d:/Squid/lib/squid/ext_ldap_group_acl.exe: (6) No such device or address

That is a OS error being hit by the helper. Probably when it tries to
contact the LDAP servers "Internet_Users" or "%g=Internet_Users" in your
tests above.


Amos


More information about the squid-users mailing list