Re: [squid-users] web access based on ldap groups

Dear all, :)

I finally had some time to work on this issue, using
the directions i was pointed to.
I still don't know what else to do, since web access
using squid_ldap_group to give different
web access doesn't work.
I'll try to give you some examples on my configuration
so it will be easier to understand what
the problema might bem.

Here is my squid_ldap_auth line in squid.conf:

[...]
auth_param basic program
/usr/local/squid/libexec/squid_ldap_auth -b
o=domain.int -h 10.0.0.1 -D uid=proxy
,ou=squid,o=domain.int -w proxy-binder -f
(&(objectclass=inetOrgPerson)(uid=%s))
[...]

--> working fine and autheticating users with no kind
of problem.

Now here goes the squid_ldap_group:

[...]
external_acl_type ldap_group ttl=120 negative_ttl=120
%LOGIN /usr/local/squid/libexec/squid_ldap_group -b
ou=squid
,o=domain.int -f "(&(uid=%v)(memberUid=%g))" -B
ou=People,o=domain.int -F "uid=%s" -S -R -D uid=prox
y,ou=squid,o=dmain.int -w proxy-binder -h localhost
[...]

note:squid_ldap_group is bindding to ldap server with
the same user squid_ldap_auth is.

And here goes the access list:

[...]
acl block_word url_regex "/etc/squid/block_word"
acl block_url url_regex "/etc/squid/block_url"
acl block_domain dstdomain "/etc/squid/block_domain"
acl block_dest_ip dst "/etc/squid/block_dest_ip"
####################
acl proxy-allow external ldap_group proxy-allow
acl proxy-deny external ldap_group proxy-deny
####################
http_access allow proxy-allow block_word
http_access allow proxy-allow block_url
http_access allow proxy-allow block_domain
http_access allow proxy-allow block_dest_ip
####################
http_access deny proxy-deny block_word
http_access deny proxy-deny block_url
http_access deny proxy-deny block_domain
http_access deny proxy-deny block_dest_ip
[...]

/etc/squid/block_word contains words i will not allow
in urls except for users in
cn=proxy-allow,ou=squid,o=domain.int group
/etc/squid/block_url contains urls i will not allow at
all except for users in
cn=proxy-allow,ou=squid,o=domain.int group
/etc/squid/block_domain contains domaisn i will not
allow at all except for users in
cn=proxy-allow,ou=squid,o=domain.int group
/etc/squid/block_dest_ip contains ip addresses i will
not allow at all except for users in
cn=proxy-allow,ou=squid,o=domain.int grou
p

Users in the cn=proxy-allow,ou=squid,o=domain.int group
are to be given access to the urls words and ip
addresses contained
in the above files. Users in the
cn=proxy-deny,ou=squid,o=domain.int group, are not.

Here is my ldif for the squid group, were users are to
be checked which group they belong to, so they can have
their permissions
or not:

dn: cn=proxy-allow,ou=squid, o=domain.int
gidNumber: 600
memberUid: test-user
objectClass: posixGroup
objectClass: top
cn: proxy-allow

 -> same thing for proxy-deny group except user is
named *test-user-deny*

dn: uid=test-user,ou=People, o=systemblast
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
uid: test-user
uidNumber: 1000
cn: test-user
sambaLogoffTime: 214647
sambaPwdLastSet: 117888
gidNumber: 513
sambaPwdMustChange: 1111888
sambaNTPassword: EB8B79A3E6FEC
sambaPwdCanChange:0
gecos: System User
description: System User
sn: user

What can it be wrong here? I think somthing must be
missing or wrong in the squid_ldap_group flag and still
not sure if
acls are correct...

thanks for your time reading this and i hope my doubt
will help someone in the future :)

Many thanks in advance

*cipher*

> cipher wrote:
> > Dear users,
> >
> > I just got squid authenticating through ldap,
> using
> > squid_ldap_auth and everything is fine.
> > Users can authenticate and no problems are
> showing up.
> >
> > Now i would like to know a way to give user
> permissions
> > to different web accesses to different users.
> > For example, i have this configuration:
> >
> > [...]
> > acl block_word url_regex
> "/etc/squid/block_word"
> > acl block_url url_regex
> "/etc/squid/block_url"
> > acl block_domain dstdomain
> "/etc/squid/block_domain"
> > acl block_dest_ip dst
> "/etc/squid/block_dest_ip"
> > acl accept proxy_auth
> "/etc/squid/accept_user"
> > acl forbidden proxy_auth
> "/etc/squid/forbidden_user"
> > http_access allow accept block_word
> > http_access allow accept block_domain
> > http_access allow accept block_dest_ip
> > http_access allow accept block_url
> > http_access deny forbidden block_word
> > http_access deny forbidden block_domain
> > http_access deny forbidden block_dest_ip
> > http_access deny forbidden block_url
> > [...]
> >
> > What happened was that i was filtering web
> access
> > through a text file called
> /etc/squid/accept_user
> > and /etc/squid/forbidden_user, which had
> information
> > about the users that were allowed or not
> allowed to
> > have web access to the urls in the
> /etc/squid/block_url
> > file for example.
> >
> > Now with ldap working i have two groups:
> >
> > -> proxy-allow
> > -> proxy-deny
> >
> > I want to put users in those two groups, and
> the ideia
> > is that users in the proxy-allow group will
> have
> > web access to urls in the
> /etc/squid/block_url and
> > users in the proxy-deny group will not have
> web access to
> > those urls.
> >
> > I am aware that squid_ldap_group does the job
> but i am
> > not really understanding how.
> >
> > I read through the archives and no answer to
> this issue
> > was found. At least i wasn't able to see it.
> :)
> >
> > I already know that an external_acl_type acl
> is needed.
> > I just haven't figured out how to tell
> squid.conf to go
> > search on that groups and give access like it
> is meant to.
> >
> > Is there a chance someone could point in the
> right
> > direction to get this working or maybe point
> me the archive
> > where this issue is answered?
> >
> > Feel free to ask for more configuration
> information if
> > you need to.
> >
> > Thanks a lot for reading this and in advance!
>
> squid_ldap_group operates very similarly to
> squid_ldap_auth. I assume
> you are already successfully getting the user
> login details and are
> authenticating the users. After that you just
> need an external_acl_type
> statement for the ldap checking such as this
> (forgive the long
> description, it's something I wrote up after I
> got it working so that it
> is understandable to some degree):
>
> external_acl_type ldap_group ttl=120
> negative_ttl=120 %LOGIN
> /usr/lib/squid/squid_ldap_group -b
> cn=Users,dc=domain,dc=local -f
> "(&(cn=%g)(member=%u)(objectClass=group))" -B
> dc=domain,dc=local -F
> "samaccountname=%s" -S -R -D
> cn=ldapsearchuser,cn=Users,dc=domain,dc=local
> -w password -a find -s sub
> -h server.domain.local
>
> ldap_group is the type of external ACL we are
> using.
> ttl and negative_ttl are set to short intervals
> so that adding or
> removing a user from the authorised group
> doesn't incur a huge delay.
> %LOGIN is a standard parameter - it just passes
> the user details from
> the authenticator module
> -b is the Base DN for the security group in the
> AD.
> -f specifies how the user is to be found in the
> group. cn=%g will give
> you the group DN itself, member=%u finds the
> user by their DN, and
> objectClass=group is self explanatory.
> -B is the Base DN for the users.
> -F is used to specify the search filter for the
> users. Samaccountname is
> the parameter I search for since I found the
> browser sends the shortened
> version of the login name (instead of the full
> name or something).
> -S specifies that it should strip the domain
> name off the front of the
> username (since I was using NTLM and that
> passed the domain name)
> -R allows us to have users in multiple OUs.
> -D specifies the DN of a user authorised to
> perform LDAP searches on the
> AD. This I believe can be any user in the AD.
> -a specifies the search technique and may not
> be required
> -s specifies how to handle searching up the
> tree and defaults to sub
> anyway so is not really required.
> -h server.domain.local just specifies the
> domain controller that the
> LDAP query is performed on.
>
> Then you need acls to specify the groups you
> are checking for:
>
> acl AuthGroup external ldap_group Internet
>
> and http_access lines to actually allow those
> groups or whatever:
>
> http_access allow AuthGroup
>
> This is where you can get very creative (not
> something I have done...).
> Hope this helps (and is relatively correct - my
> explanations are
> probably not entirely accurate).
>
> Cheers,
> Oliver
>

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail
Received on Fri Feb 04 2005 - 15:28:04 MST