[squid-users] Too many AD group and squid kerberos auth problem

Jok Thuau jok at spikes.com
Tue Aug 30 17:08:27 UTC 2016


On Tue, Aug 30, 2016 at 4:05 AM, alberto <alberto.furia at gmail.com> wrote:

> Hi all,
> I have a squid3 installation with kerberos ldap groups authentication.
> Everything works like a charm except for one of my user that belongs to
> too many groups (more than 50): this user can not browse any site because
> of authentication problem.
> I always see TCP_DENIED/407 in the squid log file for that user.
>
> Is there a parameter that I can change in the squid.conf file to increase
> the number of groups allowed during authentication?
> FYI I'm on Debian Jessie and using this kerberos configuration
>
>
if you are using group membership authorization purely to allow/deny access
globally (rather than for specific sites), you can tweak your filter to
accomplish that...


> ====squid.conf snippet=======
>

 [snip]


> ################# Basic Auth ########################
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -D
> srvc_squid at example.lcl -W /etc/squid3/ldappwd.txt -h "example.lcl" -b
> "OU=root,DC=EXAMPLE,DC=LCL" -s sub -f (&(objectClass=Person)(
> sAMAccountName=%s))
>

this filter (after "-f") could be tweaked like this:
(&(objectClass=Person)(sAMAccountName=%s)(|(memberOf=CN=group1,OU=somewhere,dc=EXAMPLE,dc=LCL)(memberOf=CN=group2,OU=somewhere,dc=EXAMPLE,dc=LCL))

That would allow the user to login if they are member of either group.
(that syntax/schema is for AD, feel free to adjust as needed)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160830/8ede5620/attachment.html>


More information about the squid-users mailing list