Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

From: Tom Tux <tomtux80_at_gmail.com>
Date: Fri, 13 Aug 2010 16:01:00 +0200

Hi

I run squid with the named debug-options. The "cache.log"-output seems
a little bit complicated. So the only way I see, is to have a remarked
native ldap-authentication-configuration, which I can enable, if the
kerberos-mechanism fails.

Or does somebody has such a config (kerberos with squid_kerb_ldap to
get ad-groups AND squid_ldap_auth with a memberOf-filter) running?

Thanks a lot.
Regards,
Tom

2010/8/11 Amos Jeffries <squid3_at_treenet.co.nz>:
> Tom Tux wrote:
>>
>> Hi Amos
>>
>> Thanks a lot for this explanation. Both configurations seperately -
>> native kerberos and native ldap - are working fine. But in
>> combination, there is still one problem.
>>
>> Here is my actual configuration (combined two mechanism) again:
>>
>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
>> auth_param negotiate children 50
>> auth_param negotiate keep_alive on
>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers"
>> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>>
>> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600
>> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g
>> "DenyInternetUsers"
>> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP
>>
>> # LDAP-Fallback
>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
>> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f
>>
>> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))"
>> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx
>> auth_param basic children 20
>> auth_param basic realm "Internet Access"
>> auth_param basic credentialsttl 2 hour
>> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED src 0.0.0.0
>
> The "src" and "0.0.0.0" usernames (yes *usernames*) should be ignored by
> Squid.
>
>>
>>
>> And here the relevant part of the http_access-directives:
>> http_access deny DENY_INTERNET_ACCESS
>> http_access deny !INTERNET_ACCESS
>> http_access deny !INTERNET_ACCESS_LDAP
>> http_access allow INTERNET_ACCESS
>> http_access allow INTERNET_ACCESS_LDAP
>> http_access deny all
>>
>> With this configuration, I'm able to access with kerberos, but never
>> with ldap. I always got a "access denied". What directives do I have
>> to change/add, to get both accesses (kerberos & ldap)?
>
> Run Squid with "debug_options 82,3 28,3" to check which ACLs are matching
> and which denying.
>
> I notice the !INTERNET_ACCESS is required to pass before anything is
> allowed. It could be that your Basic protocol credentials are not being
> accepted by the Negotiate/Kerberos protocol group helper and inverting into
> a deny.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.6
>  Beta testers wanted for 3.2.0.1
>
Received on Fri Aug 13 2010 - 14:01:06 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 13 2010 - 12:00:02 MDT