RE: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)

From: GIGO . <gigoz_at_msn.com>
Date: Mon, 5 Jul 2010 17:13:08 +0000

Hi,
 
please some more guidance required. Can squid_kerb_ldap be used(alone) independentaly of calling squid_kerb_auth or any other helper??
 
If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both then is it correct that we are not using the following directives??
 
acl auth proxy_auth REQUIRED #used
#http_access deny !auth # Not used
#http_access allow auth #not used
 
as instead ldap based directives of the following form are used...
 
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@
acl ldap_group_check external squid_kerb_ldap
http_access allow ldap_group_check

 
thanking you
&
regards,
 
Bilal
 
 
 
 
 
 
 

----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Thu, 1 Jul 2010 21:31:13 +0100
> Subject: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
>
> Hi
>
> 1) 1.2.1a is just a minor patch version to 1.2.1.
> 2) This happens only when you use the -d debug option
> 3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL
> 4) If they have different access needs then that is the only way. If they
> have the same access right you can use -g
> INETGRLHR1_at_MAILSERVER.V.LOCAL:INETGRLHR2_at_MAILSERVER.V.LOCAL:INETGRLHR3_at_MAILSERVER.V.LOCAL
>
> Regards
> Markus
>
> ----- Original Message -----
> From: "GIGO ."
> To: "squidsuperuser2" ; "SquidHelp"
>
> Sent: Thursday, July 01, 2010 11:31 AM
> Subject: RE: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit
> failed with rc=102)
>
>
>
> Dear Markus,
>
> Thank you so much for your help as i diagnosed the problem back to
> KRB5_KTNAME not exported properly through my startup script. For the
> completion sake and your analysis i have appended the cache.log at the
> bottom.
>
> Please i have few queries:
>
>
> 1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation and
> which is the latest but is the "a" in 1.2.1(a) means alpha. Can i use this
> latest version in the production or i should switch back to 1.2.1.
>
>
>
>
> 2. i have just figured out that squid_kerb_ldap gets all the groups for a
> user in question even if the first group it find matches. Is this the normal
> behaviour?
>
>
> 3. Is there a way to bind to a specific or multiple(chosen) ldap servers
> rather than using DNS. (what is the syntax and how)
>
>
> 4. As i have different categories of users so i had defined the following
> directives. Is it ok to do this way as it does not look very neet to me and
> looks like squid_kerb_ldap being called redundantly.
>
>
> -------------------------------------Portion of
> squid.conf---------------------
> auth_param negotiate program
> /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> # basic auth ACL controls to make use of it are.(if and only if
> squid_kerb_ldap(authorization) is not used)
> #acl auth proxy_auth REQUIRED
> #http_access deny !auth
> #http_access allow auth
>
> #Groups fom Mailserver Domain:
> external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1_at_MAILSERVER.V.LOCAL
> external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2_at_MAILSERVER.V.LOCAL
> external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600
> %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3_at_MAILSERVER.V.LOCAL
>
> acl msgroup1 external squid_kerb_ldap_msgroup1
> acl msgroup2 external squid_kerb_ldap_msgroup2
> acl msgroup3 external squid_kerb_ldap_msgroup3
> http_access deny msgroup2 msn
> http_access deny msgroup3 msn
> http_access deny msgroup2 ym
> http_access deny msgroup3 ym
> ###----Most Restricted settings Exclusive for Normal users......###
> http_access deny msgroup3 Movies
> http_access deny msgroup3 downloads
> http_access deny msgroup3 torrentSeeds
> http_access deny all
>
>
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
Received on Mon Jul 05 2010 - 17:13:15 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 06 2010 - 12:00:02 MDT