[squid-users] Squid and AD Group (ext_ldap_group_acl)

Olivier CALVANO o.calvano at gmail.com
Mon Feb 8 10:21:49 UTC 2016


hum in logs:


ext_ldap_group_acl.cc(587): pid=12990 :Connected OK
ext_ldap_group_acl.cc(726): pid=12990 :group filter
'(&(objectclass=person)(sAMAccountName=0)(memberof=CN=ocalvano,OU=Admin,OU=vpn,DC=mydomain,DC=fr))',
searchbase 'DC=mydomain,DC=fr'
ext_ldap_group_acl.cc(726): pid=12990 :group filter
'(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))',
searchbase 'DC=mydomain,DC=fr'

ext_ldap_group_acl.cc(587): pid=12990 :Connected OK
ext_ldap_group_acl.cc(726): pid=12990 :group filter
'(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Guest,OU=Admin,OU=vpn,DC=mydomain,DC=fr))',
searchbase 'DC=mydomain,DC=fr'
ext_ldap_group_acl.cc(726): pid=12990 :group filter
'(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))',
searchbase 'DC=mydomain,DC=fr'


user ocalvano is in group Internet-Access but not Guest, and the log says
"Ok"
(or it's only ldap connection ?)




2016-02-08 11:06 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com>:

> Hi Amos,
>
> Thanks for your help,
>
> buit if i don't put the line http_access deny !Group_Allowed, user not in
> the group connect connect
> and access to all internet
>
> my config:
>
>
>
> ######################################################################
> # ACL pour les Droits d'accès d'apres l'Active Directory
> ######################################################################
> acl Authentification proxy_auth REQUIRED
> http_access deny !Authentification
> acl Group_Allowed external AD_Group Internet-Access
> http_access allow Group_Allowed
> #http_access deny !Group_Allowed
> ######################################################################
>
> #always_direct deny Authentification
> http_access allow Lan
> http_access deny all
>
>
>
>
>
>
> i see that i have a
>
> http_access allow Lan
>
> it's not this the problems ?
>
>
>
> 2016-02-07 11:44 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
>
>> On 7/02/2016 9:39 p.m., Olivier CALVANO wrote:
>> > Hi
>> >
>> > i have a problems with AD Group, i use this config:
>> >
>> >
>> > external_acl_type AD_Group children-startup=5 children-max=100
>> > concurrency=80 ttl=1800 negative_ttl=900 %LOGIN
>> > /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D
>> > cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f
>> > (&(objectclass=person)
>> > (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h
>> > 192.168.10.1
>> >
>> >
>> > acl Group_Allowed external AD_Group Internet-Access
>> > http_access allow Group_Allowed
>> > http_access deny !Group_Allowed
>> >
>> >
>> > When i want use the proxy, squid request all time the Login/pass
>>
>> To check group membership, Squid must first know what user login
>> credentialsare being checked.
>>
>>
>> >
>> > if i change config:
>> >
>> > http_access allow Group_Allowed
>> > http_access deny !Group_Allowed
>>
>> As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it
>> is used on any line and login is not yet provided, or do 407
>> re-authentication whenever it is last ACL named on a deny line. In order
>> to give the user the chance to provide credentials that will pass the
>> test.
>>
>> In this particular config setup use "deny all" instead of "deny
>> !Group_Allowed".
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160208/7fafc271/attachment.html>


More information about the squid-users mailing list