Re: [squid-users] Squid and AD Group (ext_ldap_group_acl)
On 7/02/2016 9:39 p.m., Olivier CALVANO wrote: > Hi > > i have a problems with AD Group, i use this config: > > > external_acl_type AD_Group children-startup=5 children-max=100 > concurrency=80 ttl=1800 negative_ttl=900 %LOGIN > /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D > cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f > (&(objectclass=person) > (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h > 192.168.10.1 > > > acl Group_Allowed external AD_Group Internet-Access > http_access allow Group_Allowed > http_access deny !Group_Allowed > > > When i want use the proxy, squid request all time the Login/pass To check group membership, Squid must first know what user login credentialsare being checked. > > if i change config: > > http_access allow Group_Allowed > http_access deny !Group_Allowed As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it is used on any line and login is not yet provided, or do 407 re-authentication whenever it is last ACL named on a deny line. In order to give the user the chance to provide credentials that will pass the test. In this particular config setup use "deny all" instead of "deny !Group_Allowed". Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid and AD Group (ext_ldap_group_acl)
Hi i have a problems with AD Group, i use this config: external_acl_type AD_Group children-startup=5 children-max=100 concurrency=80 ttl=1800 negative_ttl=900 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f (&(objectclass=person) (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h 192.168.10.1 acl Group_Allowed external AD_Group Internet-Access http_access allow Group_Allowed http_access deny !Group_Allowed When i want use the proxy, squid request all time the Login/pass if i change config: http_access allow Group_Allowed http_access deny !Group_Allowed in #http_access allow Group_Allowed #http_access deny !Group_Allowed access is Ok but he don't use AD Group :<. In commande ligne that's work: /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr))" -h 192.168.10.1 UserTest Internet-Access OK In cache.log, i have only: xt_ldap_group_acl.cc(587): pid=9767 :Connected OK ext_ldap_group_acl.cc(726): pid=9767 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=UserTest,OU=Admin,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' ext_ldap_group_acl.cc(726): pid=9767 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' anyone have this type of problems ? thanks Olivier ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid LDAP Auth ?
I put keepalive at off and now that works ;=) 2016-02-07 8:02 GMT+01:00 Amos Jeffries : > On 7/02/2016 7:11 p.m., Olivier CALVANO wrote: > > > > 2016/02/07 07:08:11.637 kid1| client_side.cc(2321) parseHttpRequest: HTTP > > Client local=192.168.10.1:8080 remote=192.168.10.100:51964 FD 18 flags=1 > > 2016/02/07 07:08:11.637 kid1| client_side.cc(2322) parseHttpRequest: HTTP > > Client REQUEST: > > - > > CONNECT 0.client-channel.google.com:443 HTTP/1.1 > > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 > > Firefox/38.0 > > Proxy-Connection: keep-alive > > Connection: keep-alive > > Host: 0.client-channel.google.com:443 > > > > > > -- > > > There are no credentials in that request message. The others in your > trace all show up the same. So the 407 / AUTH_REQUIRED is correct > response for all those messages. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
