[squid-users] Squid doesn't notice AD group changes

Eliezer Croitoru ngtech1ltd at gmail.com
Thu Jan 21 23:14:37 UTC 2021 

Have You tried to use external_acl_type for group membership checks?

 

Something like this should do the trick:

external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=ng,dc=tech" -D squid at ng.tech -W /etc/squid/ldappass.txt  -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=ng,DC=tech))" -h ngtech-dc.ng.tech

 


Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email:  <mailto:ngtech1ltd at gmail.com> ngtech1ltd at gmail.com

Zoom: Coming soon

 

 

From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of heimarbeit123.99 at web.de
Sent: Wednesday, January 20, 2021 3:51 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Squid doesn't notice AD group changes

 

Hello all! :)

 

I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!

But there is one realy big problem: Squid does not recognize AD group membership changes.

What does that mean?

 

Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)

But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!

After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.

But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.

 

What I tried:

-remove cache (net cache flush, "cache deny all", "no_cache deny all")

-remove squid with "purge" and reinstall it, still same problem

 

Can anyone help???

 

remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!

 

Regards

Philipp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210122/a1c8a95b/attachment.htm>

More information about the squid-users mailing list