[squid-users] ext_ldap_group_acl not working
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 1 11:25:48 UTC 2016
On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
>
> Hello everyone
>
> I'm a newbie regarding SQUID and in general on Linux.
> I have an Active Directory environment (Windows Server 2012 R2) and a Linux Debian 8 Jessie configured in the same network.
> My goal is to install SQUID on Debian, integrate with Active Directory using Kerberos and autohise users to use SQUID based on Active Directory asecurity group membership lookup.
> Long story short, I followed the instructions here
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid
>
>
> My test environment:
> Active Directory domain: KIDANEMEHRET.LOCAL
> test user: KIDANEMEHRET\test-full
> Security groups which is member of: "Internet Users Full", "Internet Users Standard"
>
> Test done
> After having properly configured my test client (Windows 7 joined to the domain), logged on with the test user KIDANEMEHRET\test-full, configured internet explorer to use the proxy, what I get everytime I try to browse the internet is a SQUID page telling me Access Denied.
>
> Quick Analisys
> Having a look at access.log and cache.log (see attached), I understand that user is properly authenticated (I see KIDANEMEHRET\test-full properly written in each log).
> For this reason I suspect the problem is in the authorisation part.
>
> I try then to run from terminal the program used in SQUID.CONF to check authorisation (based on the wiki too); note that I'm running with sudo otherwise with standard use I get no access to password file:
>
You need to ensure this test is run as the Squid low-privilege user
account. Not as root via sudo. If the access to passwords file is also
not working for Squids low-priv user account that could be the problem.
> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D squid at kidanemehret.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local test-full Internet%20Users%20Full
> Do not get any result: waiting for minutes...
>
Add the -d option for debug output about what the helper is doing during
those minutes.
Amos
More information about the squid-users
mailing list