[squid-users] Squid 3.5.1 NTLM and LDAP
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 12 08:49:56 UTC 2015
On 12/02/2015 1:35 a.m., Rich549 wrote:
> *Ok, I've made all of the advised changes and it still didn't work.
>
> I've just tried pasting my helper command into command prompt and it just
> seems to hang. I tried the following:*
>
The helper takes -b string as the base DN and appends the dynamic -f
string to it.
You have configured this as the ACL test:
# Allow Members of Internet Users To Anywhere Not Explicitly Denied
acl InetAllow external internet_domain_group Internet_Users
So the "Internet_Users" is the name of the group being checked for using
the internet_domain_group helper. %g will always be "Internet_Users"
when testing this ACL, %u will change with each user login as its their
username value.
> -----
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -S -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f %g=Internet_Users -h
> srvham09.domain-uk.com
>
That queries server srvham09.domain-uk.com for:
ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users=Internet_Users
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -S -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f Internet_Users -h
> srvham09.domain-uk.com
That queries server srvham09.domain-uk.com for:
ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users
>
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -b
> "ou=Domain_Groups,dc=domain-uk,dc=com" -f %u "Internet_Users" -h
> srvham09.domain-uk.com
-f only takes one argument so that queries servers Internet_Users and
srvham09.domain-uk.com for:
ou=Domain_Groups,dc=domain-uk,dc=com,<username>
>
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -d -b
> ou=Domain_Groups,dc=domain-uk,dc=com -f %u %g=Internet_Users -h
> srvham09.domain-uk.com
-f only takes one argument so that queries servers %g=Internet_Users and
srvham09.domain-uk.com for:
ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users=Internet_Users
>
> D:\Squid>d:/Squid/lib/squid/ext_ldap_group_acl.exe -v 2 -d -b
> ou=Domain_Groups,dc=domain-uk,dc=com -f Internet_Users -h
> srvham09.domain-uk.com
That queries server srvham09.domain-uk.com using LDAPv2 for:
ou=Domain_Groups,dc=domain-uk,dc=com,Internet_Users
Do any of the above LDAP syntaxes look right to you?
I suspect you want some code like ou=%g in the filter.
Only you know what the actual AD directory structure is, and I'm not
very clued up on what the LDAP kv-pairs mean sorry. So that is just a
guess that I hope will point you in the right direction.
> -----
>
> *I'm also seeing the following in the cache.log each time I try to access a
> webpage as a user who is a member of Internet_Users, is this anything to be
> concerned about?*
> ----
> 2015/02/11 12:21:47 kid1| helperOpenServers: Starting 1/80 'ntlm_fake_auth'
> processes
Squid starts helpers incrementally as they are needed nowdays. You can
expect 80 of those mostly when you restart Squid. Messages about dying
helpers are the sign of problems.
> 2015/02/11 12:21:47 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
Thats okay, I think. Squid is attempting to drop security privileges but
can't. Some OS seem to do it automatically then complain when its done
explicitly.
> ----
>
> *And now, just to top things off I have errors in the cache.log stating:*
>
> d:/Squid/lib/squid/ext_ldap_group_acl.exe: (6) No such device or address
That is a OS error being hit by the helper. Probably when it tries to
contact the LDAP servers "Internet_Users" or "%g=Internet_Users" in your
tests above.
Amos
More information about the squid-users
mailing list