[squid-users] Assistance Needed for Kerberos Authentication with AD Group-Based ACLs in Squid

Enfal Gok enfal.gok2004 at gmail.com
Wed Jan 1 10:34:39 UTC 2025 

Dear Squid Support Team,
I am currently configuring Squid to use Kerberos authentication with Active Directory (AD) group-based access control, but I am encountering an issue where the ACLs for AD groups are not being applied correctly. Below are the details of my setup and the challenges I am facing:
Setup Details:

  1.
Kerberos:
     *   Kerberos authentication is working successfully.
     *   The service principal and keytab are correctly configured, and the kinit command works as expected.
  2.
LDAP:
     *   LDAP connectivity is functional. I can successfully query the Active Directory using ldapsearch:

ldapsearch -x -H ldap://172.16.10.254 -D "CN=Administrator,CN=Users,DC=demo,DC=local" -w Passw0rd -b "DC=demo,DC=local" "(sAMAccountName=jon.jones)"


     *   The output includes the correct memberof attributes showing the user's group memberships.
  3.
Squid Configuration:
I have configured Squid for LDAP group-based access control as follows:

external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R \
    -b "DC=demo,DC=local" \
    -D "CN=Administrator,CN=Users,DC=demo,DC=local" \
    -w Passw0rd \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))" \
    -h 172.16.10.254

acl FullAccess external ldap_group FullAccess
acl Restricted external ldap_group Restricted
acl Filtered external ldap_group Filtered
acl Blocked external ldap_group Blocked

http_access deny Blocked
http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all


  4.
What Works:
     *   Kerberos authentication is functioning as expected.
     *   The ext_ldap_group_acl utility works correctly when tested manually:

echo "jon.jones FullAccess" | /usr/lib/squid/ext_ldap_group_acl -R \
    -b "DC=demo,DC=local" \
    -D "CN=Administrator,CN=Users,DC=demo,DC=local" \
    -w Passw0rd \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))" \
    -h 172.16.10.254


The output returns OK, indicating that the LDAP group membership is correctly validated.
  5.
The Problem:
     *   When users authenticate via Kerberos, the Squid ACLs based on AD groups are not being matched.
     *   All users fall into the default http_access deny all rule, even if they belong to a permitted AD group.
  6.
Log Example:
In the cache.log file, I see the following entries:

WARNING: external_acl_type 'ldap_group' queue overload
...
Checklist.cc answer DENIED for match
...
setAuth: WARNING: Graceful closure on conn due to connection-auth erase from ConnStateData::SwanSong cleanup


Request for Assistance:

  *   How can I ensure that Squid properly applies AD group-based ACLs when users authenticate via Kerberos?
  *   Are there specific configurations or known limitations for combining Kerberos authentication with LDAP group validation in Squid?

I would greatly appreciate any guidance or suggestions to resolve this issue. If additional logs or details are needed, please let me know.
Thank you for your support!
Best regards,
Enfal gok

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250101/e6326390/attachment.htm>

More information about the squid-users mailing list