Re: [squid-users] ext_user ACL from Amos Jeffries on 2012-02-08 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 09 Feb 2012 11:24:48 +1300

On 09.02.2012 07:46, Wladner Klimach wrote:
> Hello,
>
> I'm trying to use ext_user type of ACL but for some reason it isn't
> matching. Look at my cache.log message with debug_options set up:
>
> ACL::ChecklistMatches: result for 'restrictedDomains' is 1
> 2012/02/08 16:24:40.553| ACLList::matches: result is true
> 2012/02/08 16:24:40.553| ACLList::matches: checking restrictUsers
> 2012/02/08 16:24:40.553| ACL::checklistMatches: checking
> 'restrictUsers'
> 2012/02/08 16:24:40.553| ACL::ChecklistMatches: result for
> 'restrictUsers' is -1
> 2012/02/08 16:24:40.553| ACLList::matches: result is false
> 2012/02/08 16:24:40.553| aclmatchAclList: 0x7f491617bab8 returning
> false (AND list entry failed to match)
>
> I using this because I need to group autheticated users in order to
> create ACLs to restrict this groups. I've used proxy_auth instead of
> ext_user and worked out but I don't know if this is apropriate in
> terms of performance, isn't it? Here is my squid.conf:

>
> # KERBEROS - Integracao completa com AD
> auth_param negotiate program
>
> /etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
> -s HTTP/trotsky.redecamara.camara.gov.br
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> # ACLs externas para buscar grupo baseado em Kerberos.
> external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
> /etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
> californio.redecamara.camara.gov.br -g
> Internet_at_REDECAMARA.CAMARA.GOV.BR

<snips>
> acl restrictUsers ext_user P_7501_at_REDECAMARA.CAMARA.GOV.BR
> acl restrictedDomains url_regex -i "/etc/squid/InstantMessenger"
> http_access deny restrictedDomains restrictUsers
> http_access allow ldap_group_check
> http_access deny all
>

To check proxy_auth and ext_user values are the same speed (text
comparison).
BUT, ext_user requires external ACL helper to be run to produce the
value, AND authentication helper to be run to produce the %LOGIN input
value. Which could be slower overall.

Also each have different security properties:
proxy_auth is the logged in username, validated by the authentication
backend
ext_user is just a user name (note the space between words) label
produced by the external helper, it is not necessarily the logged in
user or even related to that user.

It is not working because squid_kerb_ldap does not output the user name
label for use by ext_user. Just a OK/ERR result whether the user passed
*in* is a member of the groups passed in.

Amos
Received on Wed Feb 08 2012 - 22:24:52 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 09 2012 - 12:00:02 MST