[squid-users] Fwd: NTLM LDAP authentication problem

Matej Kotras matejkotras at gmail.com
Mon Nov 16 09:29:33 UTC 2015 

Hi guys

I've managed squid to work with AD, and authorize users based on what AD
group they are in. I use Squid-Analyzer for doing reports from access.log.
I've found 2 anomalies with authorization so far. In access log, I see that
user is authorized based on his PC name(not desired) and not on the user
account name. I've just enabled debugging on negotiate wrapper, so I will
monitor these logs also.

But in the meantime, have you got any idea why could this happen ?

*PC NAME AUTH:*
1447562119.348      0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
clients2.google.com:443 -             HIER_NONE/- text/html
1447562119.374      2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
clients2.google.com:443 -             HIER_NONE/- text/html
1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -

*USER NAME AUTH:*
1447562039.176      0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
lyncwebext.inventec.com:443 -         HIER_NONE/- text/html
1447562039.215     27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
lyncwebext.inventec.com:443 -         HIER_NONE/- text/html
1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -


*Squid.conf*
#########################################
# Enable KERBEROS authentication #
#########################################

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off


#########################################
# Enable NTLM authentication #
#########################################

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ
#auth_param ntlm children 10
#auth_param ntlm keep_alive off


#########################################
# ENABLE LDAP AUTH #
#########################################

auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=icz,dc=inventec" -D squid at icz.inventec -W /etc/squid/ldappass.txt -f
sAMAccountName=%s -h icz-dc-1.icz.inventec
auth_param basic children 10
auth_param basic realm Please enter user name to access the internet
auth_param basic credentialsttl 1 hour

external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl



Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151116/fa8e8d0a/attachment-0001.html>

More information about the squid-users mailing list