[squid-users] Squid + LDAP + Multi-Domains --> Retrieving groups

Hi all,

(Sorry for my bad English)

I'm setting-up SQUID for my work, and I'm having problems with ACL and LDAP :

We have 3 domains with approbations working up. I have set-up SQUID to
work as Transparent proxy and NTLM authentication.

It's working well with my domain1.local, all users are logged without
prompted for a login / password.

We have 2 types of users :

 - Users who can access to everything on internet
- Users who are restricted to specifics websites, based on a whitelist.

This is made by Active Directory groups : If a user belong to the
Group Internet_full he has no restriction. But if he belongs to
Internet_Limited, then he can only access to the websites which have
been specified in my whitelist file.

Squid checks the groups with wbinfo_groups.pl

It's working great whit my domain1.local

The problem I have :

The users are well authenticated on my domain2.local and
domain3.local, but the filter for the groups doesn't works : All my
users from domain2.local and domain3.local are able to access to any
websites, even if they are members of Internet_Limited group.

If I do a wbinfo –u I get only my users from domain1.local

So I have attempted to do a : wbinfo -a
domain2\\administrator%password and I get :

plaintext password authentication succeeded
challenge/response password authentication succeeded

After that, I tried wbinfo –sequence and it gets me :

Domain2: DISCONNECTED
domain3 : DISCONNECTED
BUILTIN : 1220623949
SRVPROXY-SQUID : 1220623949
domaine1 : 817325

I think the problem is here, but not sure, because a user of
domain2.local is well authenticated on my SQUID server, but can't
retrieve his groups.

If I do ./wbinfo_group.pl and then type domain1\\Administrator
Internet_full, it returns me OK (because Administrator is member of
the group Internet_full)

If I test the same command with Internet_Limited, it returns me ERR
(because Administrator isn't member of Internet_Limited)

So it's seems to work with my domain1.

But when I try the same command with domain2 or domain3, here what I get :

Could not get groups for user domain2\administrator

Here a sample of my Squid.conf :

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hours

external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl

#Recommended minimum configuration:
[...]

acl CONNECT method CONNECT

acl ntlm proxy_auth REQUIRED
acl Full_Access external NT_global_group internet_full
acl Limited_Access external NT_global_group internet_limited

acl whitelist dstdomain "/whitelist"
acl localnet proxy_auth REQUIRED src 10.0.0.0/8

http_access allow Full_Access
http_access allow whitelist Limited_Access

# And finally deny all other access to this proxy
http_access deny all

I repeat that in spite of group filters does not work for the other 2
domains, authentication works great on the 3 domains !

Hope you can help me :)

Thanks in advance !
Received on Mon Sep 08 2008 - 12:16:08 MDT