[squid-users] external_acl_type + ldap-auth

From: Riaan Nolan <riaan_at_viamedia.co.za>
Date: Fri, 16 Jul 2010 11:36:53 +0200

Hallo Squid users, I'm having a problem, that I cannot solve :/

I am authenticating users against Active Directory via squid_ldap_auth
(Which Works GREAT!)

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=domain,dc=co,dc=za" -D "cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w
"******" -f "sAMAccountName=%s" -h 192.168.0.1
auth_param basic children 5
auth_param basic realm Active Directory Password Required
auth_param basic credentialsttl 3600 seconds

TEST:squid_ldap_auth
# /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"sAMAccountName=%s" -h 192.168.0.1
username ******
OK

Now, I'd like to setup delay_pools and this is where my problem starts,
I ALWAYS get, in cache.log

2010/07/16 11:11:52.551| basic/auth_basic.cc(246)
authenticateBasicHandleReply: {OK}
2010/07/16 11:11:52.551| ACL::ChecklistMatches: result for 'fast' is -1
2010/07/16 11:11:52.581| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.582| ACL::ChecklistMatches: result for 'fast' is 0
2010/07/16 11:11:52.582| ACL::ChecklistMatches: result for 'medium' is -1
2010/07/16 11:11:52.593| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.593| ACL::ChecklistMatches: result for 'medium' is 0
2010/07/16 11:11:52.593| ACL::ChecklistMatches: result for 'slow' is -1
2010/07/16 11:11:52.619| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'slow' is 0
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'slow' is 0
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'medium' is 0
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'fast' is 0
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'manager' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'manager' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'CONNECT' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for
'to_localhost' is 0
2010/07/16 11:11:58.643| ACL::ChecklistMatches: result for
'to_localhost' is 0
2010/07/16 11:11:58.643| ACL::ChecklistMatches: result for 'localhost' is 0
2010/07/16 11:11:58.644| ACL::ChecklistMatches: result for 'fast' is 0

TEST:squid_ldap_group
# /usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 1
username fast
OK

my relevant Squid.conf parts is:

##### snip #####
# Authentication Method
# Using LDAP Active Directory
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=domain,dc=co,dc=za" -D "cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w
"******" -f "sAMAccountName=%s" -h 192.168.0.1
# TO TEST
# /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"sAMAccountName=%s" -h 192.168.0.1
# ENTER
# usename password
# SHOULD RETURN OK
auth_param basic children 5
auth_param basic realm Active Directory Password Required
auth_param basic credentialsttl 3600 seconds

# Apprentice - Many Restrictions
# Lexicanium .. Group to be Announced
# Codicier - Some Restrictions
# Epistolary .. Group to be Announced
# Chief Librarian - No Restrictions
external_acl_type chief_librarian negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
external_acl_type codicier negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
external_acl_type apprentice negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
# TO TEST
# /usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
# ENTER
# usename group e.g username chief_librarian
# SHOULD RETURN OK

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl ldap-auth proxy_auth REQUIRED # Auth via Active Directory
acl fast external chief_librarian Fast
acl medium external codicier Medium
acl slow external apprentice Slow

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow fast
http_access allow medium
http_access allow slow
http_access allow ldap-auth

# And finally deny all other access to this proxy
http_access deny all

# Delay Pools
delay_pools 3

# Classes of our Pools
delay_class 1 3
delay_class 2 3
delay_class 3 3

# ACLs relevant to our Pools
delay_access 1 allow slow
delay_access 1 deny all
delay_access 2 allow medium
delay_access 2 deny all
delay_access 3 allow fast
delay_access 3 deny all

# Parameters of our Pools (Bandwidth)
delay_parameters 1 8000/8000 4000/4000 2000/2000
delay_parameters 2 8000/8000 4000/4000 2000/2000
delay_parameters 3 8000/8000 4000/4000 2000/2000

# Debugging Options
debug_options ALL,1 28,9 29,9 33,9 58,9 82,9

##### snip #####

If anyone can point me into some direction, I've read mostly all I
could, I just don't know wht the helper is returning ERR :/

Thanks in advance
Riaan Nolan

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Received on Fri Jul 16 2010 - 09:37:16 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 16 2010 - 12:00:03 MDT