[squid-users] ext_ldap_group_acl not working

L.P.H. van Belle belle at bazuin.nl
Mon Feb 1 11:53:00 UTC 2016 

What Amos is saying and : 

 

Try. 

 

Remove this line from krb5.conf

            default_keytab_name = /etc/squid3/PROXY.keytab

 

and add/create: 

 

/etc/default/squid

 

KRB5_KTNAME=/etc/squid3/PROXY.keytab

export KRB5_KTNAME

 

chown root:proxy /etc/squid3/PROXY.keytab

chmod 440 /etc/squid3/PROXY.keytab

 

Greetz, 

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Alessandro Sironi
Verzonden: maandag 1 februari 2016 11:40
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] ext_ldap_group_acl not working


 

 

Hello everyone 

 

I'm a newbie regarding SQUID and in general on Linux. 

I have an Active Directory environment (Windows Server 2012 R2) and a Linux Debian 8 Jessie configured in the same network. 

My goal is to install SQUID on Debian, integrate with Active Directory using Kerberos and autohise users to use SQUID based on Active Directory asecurity group membership lookup. 

Long story short, I followed the instructions here 

http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid

 

 

My test environment:

Active Directory domain: KIDANEMEHRET.LOCAL 

test user: KIDANEMEHRET\test-full 

Security groups which is member of: "Internet Users Full", "Internet Users Standard" 

 

Test done

After having  properly configured my test client (Windows 7 joined to the domain), logged on with the test user KIDANEMEHRET\test-full, configured internet explorer to use the proxy, what I get everytime I try to browse the internet is a SQUID page telling me Access Denied. 

 

Quick Analisys

Having a look at access.log and cache.log (see attached), I understand that user is properly authenticated (I see KIDANEMEHRET\test-full properly written in each log). 

For this reason I suspect the problem is in the authorisation part. 

 

I try then to run from terminal the program used in SQUID.CONF to check authorisation (based on the wiki too); note that I'm running with sudo otherwise with standard use I get no access to password file: 

 

sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D squid at kidanemehret.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local test-full Internet%20Users%20Full 

Do not get any result: waiting for minutes... 

 

Try to use KIDANEMEHRET\test-full instead of test-full without success. 

 

Most likely the problem is here. 

 

Do you have any suggestion on how to proceed next? 

 

Here you can find ACCESS.LOG, CACHE.LOG, KRB5.CONF and SQUID.CONF

 

MailScanner has detected definite fraud in the website at "1drv.ms". Do not trust this website: http://1drv.ms/1nHDRXH

 

Thanks in advance

 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160201/47d9d819/attachment-0001.html>

More information about the squid-users mailing list