[squid-users] kerb auth groups KV note acl config
Mike Surcouf
mikes at surcouf.co.uk
Thu Mar 16 10:12:42 UTC 2017
@Amos
Thanks for this
so to recap if I currently have
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive on
external_acl_type InternetAccessBanking %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -u ldaps://aesdc02.surcouf.local:636 -b cn=SSSUsers,dc=surcouf,dc=local -g InternetAccessBanking
I could replace it by
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive
acl InternetAccessBanking note group S-1-5-21-123456789-123456789-123456789-1234
Note where S-1-5-21-123456789-123456789-123456789-1234 is the SID for the group InternetAccessBanking
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: 16 March 2017 09:24
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] kerb auth groups KV note acl config
On 15/03/2017 10:18 p.m., Mike Surcouf wrote:
> This is bulleted as a new feature for v4.
> Yet there is no way to test this without a quick reply letting me know the basic usage.
> Anyone got a snippet on how this is setup
>
[ For TL;DR skip to the end of this mail. All this is first block is
just describing how it works. ]
This should be doable with Squid-3.4+ or at least 3.5. It requires only
the note ACL in squid plus a helper that sends group= response annotations.
It is marked as v4 becasue that is where the first helper with such
support is bundled. You can run that helper with older Squid, for
example by downloading Markus lastest release and building your own helper.
An auth helper which supports it does not needs anything configured by
you. It will "just work" (or not if it lacks annotation support). That
part is just a matter of finding out / ensuring your auth helper
provides the group kv-pairs. The usual command-line tests can probably
show that.
The auth helper by Markus should be producing a set of group=X
annotations automatically, one for each group the user is a member of.
Where the X is what AD calls a "SID" value representing a unique ID for
each group.
After those are received by Squid the note ACL type can be used in
squid.conf to match any of them quickly without an external helper
lookup for the group details. That enables reliable group ACLs anywhere
in squid.conf where they were previously at the mercy of external helper
result timeouts.
In absence of that input from the auth helper, an external_acl_type
helper or *any* helper really :-) can also send the same annotations to
Squid - with the same note ACL config later.
In its current form this is obviously most useful if you know the SID
that group names map to and can configure the note ACL appropriately. I
am hopeful that other helpers may be able to produce named groups or
such. But the values are likely to be specific to whatever the auth
system can provide.
For group lookup and comparison by name (the 'old' way) you can still
use an external helper. As I understand it AD requires two lookups; one
to find the users SID memberships and one to find the group name->SID
mapping for the group(s) being checked - then compare. The first is not
needed if the SID (%note{group}) is passed to the helper instead of
username (%LOGIN).
This part does require v4, and has not been much tested to see where
the %note format code works for external_acl_type helpers (and where
not). YMMV.
IIRC Markus was waiting on support for %note{group} format code on
external_acl_type config lines. But that happened a long while back now.
> -----Original Message-----
> From: Mike Surcouf
>
> Outputting the groups as KV pairs in AD environments on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
> Is there any docs on how to set this up?
> Even looking at the source I can't seem to work it out.
> I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.
>
> From what I can see I need to setup a note acl but I am unsure of the key names etc.
Correct. The key name is "group" ;-)
>
> A short example would be great.
>
As far as I am aware it should look like this:
acl blah note group SID-12345-762576257263
request_max_size 1 MB blah
Maybe also the -m flag on the ACL definition if recent changes merged
the group notes into a list.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list