[squid-users] URL access based on AD group membership
Nilesh Gavali
nilesh.gavali at tcs.com
Tue Jun 21 11:43:18 UTC 2016
Hello Eliezer,
Able to achieve want require with below link, thank to you and Amos for
support...
Thanks & Regards
Nilesh Suresh Gavali
From: Eliezer Croitoru <eliezer at ngtech.co.il>
To: 'Nilesh Gavali' <nilesh.gavali at tcs.com>,
squid-users at lists.squid-cache.org
Date: 21/06/2016 07:47
Subject: RE: [squid-users] URL access based on AD group membership
Hey,
The first place to find documents is at:
http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html
But you are not the first to encounter squid and do not understand couple
basics.
Like any complex piece of software you can just ask publically or
privately.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of Nilesh Gavali
Sent: Monday, June 20, 2016 8:58 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] URL access based on AD group membership
Hello Amos;
is there a simpler way to tackle this as I am not linux guy and not sure
howto write any helper program which need to call.
Regards;
Nilesh Gavali
> Thanks Eliezer for reply.
> Its is working now for be perfectly with below command with -d option
> gives helpful debug info to troubleshoot.
>
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P
-R
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f
>
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))"
> -h abcd.gov.in -s sub -v 3 -d
>
> Currently I have configure squid with AD kerberos auth. also url access
> restricted based on AD group membership.
>
> Now I observed, is that when I add any user to one of the AD group which
> allowed in squid. it is not accepting the changes until I restart the
> squid service.
Your external_acl_type has a 1 hour response cache. Meaning it will take
a minimum of 1 hour for any changes to the AD group settings to be
passed on to Squid.
>
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
> HTTP/proxy02.abcd.gov.in at ABCD.GOV.IN
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> auth_param basic credentialsttl 2 hours
NP: settings for Basic authentication do not have any affect on
non-Basic types of authentication.
There is no TTL for Kerberos user credentials. They are valid for as
long as the TCP connection to the proxy is open. Any change in the
Kerberos security tokens sent by the client after authentication is
completed will terminate/close the TCP connection.
>
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P
-R
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f
>
"(&(objectclass=person)(userPrincipalName=%u)(memberof=cn=%g,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))"
> -h abcd.gov.in -s sub -v 3 -d
>
Since your helper names were outdated 6 years ago I assume you are using
Squid-3.1 or older:
<http://www.squid-cache.org/Versions/v3/3.1/cfgman/external_acl_type.html>
Note the default values for ttl= , negative_ttl=, and grace=
Amos
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/a292d246/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/a292d246/attachment-0001.png>
More information about the squid-users
mailing list