Re: helper protocol in 3.4 from Markus Moeller on 2013-08-23 (squid-dev)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 23 Aug 2013 18:14:20 +0100

Apologies, I had a minor error for Heimdal detection.

Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message news:kv7ku6$e5f$1_at_ger.gmane.org...
Hi Amos,

I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write.

As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper.

Here is an example debug output:

  negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512
  negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids
  negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513
  negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132
  negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141
  negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207
  negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142
  negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279
  negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
  negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107
  negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes
  negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiaAQIAAA== group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiabAQAAA== group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiadQQAAA== group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiatwQAAA== group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiadgQAAA== group=AQUAAAAAAAUVAAAAploCbWTufUFPWoiaUwQAAAAAAAA=
  AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== mm_at_WIN2003R2.HOME
  negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== mm_at_WIN2003R2.HOME

As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to)

  e.g. ./convert_sid AQUAAAAAAAUVAAAAploCbWTufUFPWoiadgQAAA==
  argc: 2 argv: AQUAAAAAAAUVAAAAploCbWTufUFPWoiadgQAAA==
  S-1-5-21-1828870822-1098772068--1702340017-1142

To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has:

  ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" memberof
  SASL/GSSAPI authentication started
  SASL username: mm_at_WIN2003R2.HOME
  SASL SSF: 56
  SASL data security layer installed.
  # extended LDIF
  #
  # LDAPv3
  # base <DC=WIN2003R2,DC=HOME> with scope subtree
  # filter: (samaccountname=mm)
  # requesting: memberof
  #

  # Markus Moeller, HomeUsers, win2003r2.home
  dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home
  memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU=
  memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home
  memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home
  memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home

  # search reference
  ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho
   me

  # search reference
  ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho
   me

# search reference
ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home

  # search result
  search: 5
  result: 0 Success

  # numResponses: 5
  # numEntries: 1
  # numReferences: 3

For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise)

  ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(cn=Group2)" objectsid
  SASL/GSSAPI authentication started
  SASL username: mm_at_WIN2003R2.HOME
  SASL SSF: 56
  SASL data security layer installed.
  # extended LDIF
  #
  # LDAPv3
  # base <DC=WIN2003R2,DC=HOME> with scope subtree
  # filter: (cn=Group2)
  # requesting: objectsid
  #

  # Group2, Groups, win2003r2.home
  dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home
  objectSid:: AQUAAAAAAAUVAAAAploCbWTufUFPWoiadgQAAA==

  # search reference
  ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho
   me

  # search reference
  ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho
   me

# search reference
ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home

  # search result
  search: 5
  result: 0 Success

  # numResponses: 5
  # numEntries: 1
  # numReferences: 3

I would appreciate any feedback , comments, improvements.

Thank you
Markus

BTW the patch also contains a fix for peer_proxy_negotiate_auth as it did not comole anymore with the latest heimdal libraries.

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message news:kuq8i8$1oa$1_at_ger.gmane.org...
> Hi Amos,
>
> I may have a helper for that case soon.
>
> Thank you
> Markus
>
> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
> news:52106190.2030403_at_treenet.co.nz...
>> On 18/08/2013 9:32 a.m., Markus Moeller wrote:
>>> Hi,
>>>
>>> I am look at a way to provide information in addition to the username
>>> from the auth helper to the external acl helper
>>>
>>> Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does
>>> it mean the auth helper can return details which will be used by the
>>> external acl helper ?
>>>
>>> Thank you
>>> Markus
>>>
>>
>> Yes kv-pairs are supported in 3.4.
>>
>> I reserved group= so the auth helper can do exactly that. For usage in
>> either external ACL helpers, or in a "group" type ACL. However, at present
>> the internal parts of Squid do not exist to do anything with it.
>> The planned definition is to have helpers return one "group=" kv-pair for
>> each group the auth helper can identify and attach them as annotation data
>> to the credentials pair.
>>
>> Amos
>>
>>
>
>
>

application/octet-stream attachment: kerberos-3.4.0.1a.patch

Received on Fri Aug 23 2013 - 17:14:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 23 2013 - 12:01:12 MDT