[squid-users] ext_ldap_group_acl not working

alesironi alesironi at yahoo.it
Mon Feb 1 12:27:53 UTC 2016


Amos Jeffries wrote
> On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
>> 
>> Hello everyone 
>> 
>> I'm a newbie regarding SQUID and in general on Linux. 
>> I have an Active Directory environment (Windows Server 2012 R2) and a
>> Linux Debian 8 Jessie configured in the same network. 
>> My goal is to install SQUID on Debian, integrate with Active Directory
>> using Kerberos and autohise users to use SQUID based on Active Directory
>> asecurity group membership lookup. 
>> Long story short, I followed the instructions here 
>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid
>> 
>> 
>> My test environment:
>> Active Directory domain: KIDANEMEHRET.LOCAL 
>> test user: KIDANEMEHRET\test-full 
>> Security groups which is member of: "Internet Users Full", "Internet
>> Users Standard" 
>> 
>> Test done
>> After having  properly configured my test client (Windows 7 joined to the
>> domain), logged on with the test user KIDANEMEHRET\test-full, configured
>> internet explorer to use the proxy, what I get everytime I try to browse
>> the internet is a SQUID page telling me Access Denied. 
>> 
>> Quick Analisys
>> Having a look at access.log and cache.log (see attached), I understand
>> that user is properly authenticated (I see KIDANEMEHRET\test-full
>> properly written in each log). 
>> For this reason I suspect the problem is in the authorisation part. 
>> 
>> I try then to run from terminal the program used in SQUID.CONF to check
>> authorisation (based on the wiki too); note that I'm running with sudo
>> otherwise with standard use I get no access to password file: 
>> 
> 
> You need to ensure this test is run as the Squid low-privilege user
> account. Not as root via sudo. If the access to passwords file is also
> not working for Squids low-priv user account that could be the problem.
> 
>> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
>> "dc=kidanemehret,dc=local" -D 

> squid@

>  -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)
> (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h
> domcon.kidanemehret.local test-full Internet%20Users%20Full 
>> Do not get any result: waiting for minutes... 
>> 
> 
> Add the -d option for debug output about what the helper is doing during
> those minutes.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list

> squid-users at .squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

That's exactly the problem: if I run the test with normal (i.e.: no sudo), I
get 
ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt
I imagine I have to modify the security on that file, but how? Sorry for the
dumb question....






--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675822.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list