[squid-users] Squid NTLM AD Group Delay Pools

Garth garth1985 at gmail.com
Thu Aug 4 10:16:04 UTC 2016


Hi All

I am struggling with delay pools and Group AD. I have managed to narrow 
down the problem to the AD Groups. If I do user auth, the delay pool 
works perfectly. I have tried multiple groups from old to new just 
incase. The AD Groups work for normal site access in the http_access 
rules etc.

Is there a known issue with this? Is there a way to confirm the group 
lookup is correct by the squid/winbind?

Squid Cache: Version 3.1.23

Centos 6.8

external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R 
-b "dc=example,dc=example" -f 
"(&(sAMAccountName=%v)(memberOf=cn=%a,ou=Security,ou=groups,dc=example,dc=example))" 
-D test at EXAMPLE.EXAMPLE -w testing -h 192.168.1.254

auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic children 50

acl proxyusers-delaypool external ldap_group proxyusers-delaypool
acl proxyusers-nondelaypool external ldap_group proxyusers-nondelaypool
acl ftp.is url_regex ftp.is.co.za

acl socialsites url_regex "/etc/squid/socialsites.txt"

In the socialsites is the following:

.facebook.com
.facebook.co.za
.facebook.com:443
.youtube.com:443
.googlevideo.
.fbcdn.net
.akamaihd.net
.vimeocdn.com:443

delay_pools 4
delay_class 1 1
delay_class 2 2
delay_class 3 2
delay_class 4 1
delay_parameters 1 244000/552000
delay_parameters 2 524000/525000 524000/525000
delay_parameters 3 244000/254000 244000/254000
delay_parameters 4 244000/552000
delay_access 1 allow socialsites proxyusers-delaypool
delay_access 2 allow proxyusers-nondelaypool
delay_access 3 allow proxyusers-delaypool
delay_access 4 allow ftp.is proxyusers-delaypool

I am testing via wget and proxy input details into the bash profile. I 
can confirm the username appears in the squid logs.

Any ideas?

Thanks

Garth



More information about the squid-users mailing list