[squid-users] Assistance Needed for Kerberos Authentication with AD Group-Based ACLs in Squid

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 1 16:55:19 UTC 2025 

On 1/01/25 23:34, Enfal Gok wrote:
...
>     *The Problem:*
>       * When users authenticate via Kerberos, the Squid ACLs based on AD
>         groups are not being matched.
>       * All users fall into the default |http_access deny all| rule,
>         even if they belong to a permitted AD group.
>  6.
>     *Log Example:*
>     In the |cache.log| file, I see the following entries:
> 
>     |WARNING: external_acl_type 'ldap_group' queue overload ...


You have more lookups being performed than the helper processes can 
handle. Either they are too slow or too many queries per second are 
happening.


First thing to do (quick workaround) is to expand how many helper 
processes are running, and how many queries they can have queued.

These are done with the "children-max=" option on external_acl_type 
lines. Since you have 4 ACLs sharing the helpers, IMO you should set 
that to a 4x the default. Expand as needed if the problem remains.

Avoid "concurrency" as the helper you are using does not (yet) support 
that. If anything, set it to "0" explicitly.



>     Checklist.cc answer DENIED for match ... setAuth: WARNING: Graceful
>     closure on conn due to connection-auth erase from
>     ConnStateData::SwanSong cleanup |
> 
> *Request for Assistance:*
> 
>   * How can I ensure that Squid properly applies AD group-based ACLs
>     when users authenticate via Kerberos?

The ACL and http_access portions of your config look fine to me. At 
least for the LDAP_Group helper you are using.


If you can try to convert to the newer "note ACL" way of checking groups.

The latest of Kerberos negotiate_kerberos_auth helper should provide the 
"group=" annotations to Squid during the auth credentials check. Then 
you can replace the "external" type ACL with a "note" type, and drop the 
group lookup entirely.

Like so:
"
   acl FullAccess note group SSID-of-FullAccess
   acl Restricted note group SSID-of-Restricted
   acl Filtered note group SSID-of-Filtered
   acl Blocked note group SSID-of-Blocked
"

Where the SSID-of-XX are the values the auth helper produces for those 
groups.




>   * Are there specific configurations or known limitations for combining
>     Kerberos authentication with LDAP group validation in Squid?
> 

Big ones I know of are true for any use of helpers:
  * speed of the lookups,
  * resource overheads of using more processes,
  * HOL blocking for busy proxies.

Unfortunately LDAP group helper right now ticks all of those checkboxes 
for worst-case usage.



HTH
Amos

More information about the squid-users mailing list