[squid-users] Fw: squid_ldap_group config
Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my "acl external" lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
Kelly, The intent of the Squid mechanism, is, I think, a bit obscure--hopefully the authors will step forward and show how you set up the two distinct external auth mechanisms it appears you need in order for Squid to a) authenticate to LDAP b) do the group check. However, our solution (which resembles that used in a commercial K12 proxy solution which I shall not name), is as follows: 1. We use one external authenticator, the squid_ldap_auth program 2. All traffic is sent to a customized Squidguard redirect_program--our version combines a bunch of extant modifications, including LDAP group-based ACLs, and a modified logging feature used to drive reporting 3. Any sort of authorization rule, including one forbidding specific users/groups to visit FTP urls, would happen here. For example, your source group might be "kids," and the destination group anything matching an "^ftp://"; regex. We have some tweaks to Webmin, a real-time log parser, and reporting tool we're releasing, that organize all this. Matt [EMAIL PROTECTED] wrote: Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my "acl external" lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
I am trying to do a similiar thing. I tried to install squid_ldap_auth but it keeps failing during make. At first, it could not findsome of the include files, but I think I fixed that by adding some simbolic links for each file from the /usr/local/include directory to the /usr/include directory. These were various ldap include files. I am using FreeBSD 4.10 if it makes a difference. After I made those links, the make continued for a while but ultimately failed with numerous errors of empty declaration and uselss keyword or type name in empty declaration. Any ideas? Thanks! Carissa On Wed, 01 Dec 2004 12:39:49 -0500, Matt Benjamin <[EMAIL PROTECTED]> wrote: > Kelly, > > The intent of the Squid mechanism, is, I think, a bit obscure--hopefully > the authors will step forward and show how you set up the two distinct > external auth mechanisms it appears you need in order for Squid to a) > authenticate to LDAP b) do the group check. > > However, our solution (which resembles that used in a commercial K12 > proxy solution which I shall not name), is as follows: > > 1. We use one external authenticator, the squid_ldap_auth program > 2. All traffic is sent to a customized Squidguard redirect_program--our > version combines a bunch of extant modifications, including LDAP > group-based ACLs, and a modified logging feature used to drive reporting > 3. Any sort of authorization rule, including one forbidding specific > users/groups to visit FTP urls, would happen here. For example, your > source group might be "kids," and the destination group anything > matching an "^ftp://"; regex. > > We have some tweaks to Webmin, a real-time log parser, and reporting > tool we're releasing, that organize all this. > > Matt > > > > [EMAIL PROTECTED] wrote: > > > > >Hi all, > > > >I hope this has not been addressed anywhere in the mailing lists. I did a > >search and couldn't find anything, and I've already RTFM'd. > > > >I don't understand how to set up the squid_ldap_group external acl type. > > > >We are running Novell eDirectory and using various LDAP groups to > >(hopefully) control internet access for our various high school campuses. > >We want to have different control lists based upon the user. Students are > >denied ftp downloads and are sent to a redirector/content filter, while we > >IT people don't go to the redirector and get ftp downloads. > > > >The man page for external_acl_type doesn't seem clear to me. > > > >This is what I've got so far: > > > >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b > >-D -w -f > >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host > >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b > >-D -w -f > >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host > > > >acl Restricted port 20 21 1025-65535 > > > >acl external ldap_group deny Restricted > >acl external ldap_group allow Restricted > > > >I'm certain I am doing something wrong with my "acl external" lines. How > >do I differentiate the two different groups? How exactly is the > >external_acl_type line used? Is ldap_group a reserved phrase that has to > >follow external_acl_type? How do I return to squid the group membership > >token for the user? > > > >Thanks for any illumination... > > > > > >Kelly Connor > >Network Technician > >Gilbert Unified School District > >[EMAIL PROTECTED] > > > > > > > > -- * Carissa Srugis [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
Hi Matt -
Your solution sounds pretty cool, but my boss is really "pro-vendor"
software and I have won a big point getting squid into our district.
However, he is dead set on keeping Websense as our content filter, and does
not want our internet system to become difficult to support if someone
leaves the department.
If I use the squid_ldap_auth, program, I can only use one group and I am
stuck in an accept/deny internet filtering role. I had this working for a
while, but it does not fit our organization quite right. I stumbled upon
squid_ldap_group and it sounds like it works perfectly, but I am really
confused as to how to use and external_acl_type role, and how to bring this
group information back to squid for potential redirection, ftp filtering or
user denial.
Is there anyone on this list who currently uses squid_ldap_group to
segregate internet traffic permission?
Kelly Connor
Network Technician
Gilbert Unified School District
[EMAIL PROTECTED]
Matt Benjamin
<[EMAIL PROTECTED]
m> To
[EMAIL PROTECTED]
12/01/2004 10:39 cc
AM[EMAIL PROTECTED], "Adam
D. Gorski" <[EMAIL PROTECTED]>
Subject
Re: [squid-users] Fw:
squid_ldap_group config
Kelly,
The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
the authors will step forward and show how you set up the two distinct
external auth mechanisms it appears you need in order for Squid to a)
authenticate to LDAP b) do the group check.
However, our solution (which resembles that used in a commercial K12
proxy solution which I shall not name), is as follows:
1. We use one external authenticator, the squid_ldap_auth program
2. All traffic is sent to a customized Squidguard redirect_program--our
version combines a bunch of extant modifications, including LDAP
group-based ACLs, and a modified logging feature used to drive reporting
3. Any sort of authorization rule, including one forbidding specific
users/groups to visit FTP urls, would happen here. For example, your
source group might be "kids," and the destination group anything
matching an "^ftp://"; regex.
We have some tweaks to Webmin, a real-time log parser, and reporting
tool we're releasing, that organize all this.
Matt
[EMAIL PROTECTED] wrote:
>
>Hi all,
>
>I hope this has not been addressed anywhere in the mailing lists. I did a
>search and couldn't find anything, and I've already RTFM'd.
>
>I don't understand how to set up the squid_ldap_group external acl type.
>
>We are running Novell eDirectory and using various LDAP groups to
>(hopefully) control internet access for our various high school campuses.
>We want to have different control lists based upon the user. Students are
>denied ftp downloads and are sent to a redirector/content filter, while we
>IT people don't go to the redirector and get ftp downloads.
>
>The man page for external_acl_type doesn't seem clear to me.
>
>This is what I've got so far:
>
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>-D -w -f
>"(&(cn=%v)(groupMembership=cn=))" -h ldap.host
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>-D -w -f
>"(&(cn=%v)(groupMembership=cn=))" -h ldap.host
>
>acl Restricted port 20 21 1025-65535
>
>acl external ldap_group deny Restricted
>acl external ldap_group allow Restricted
>
>I'm certain I am doing something wrong with my "acl external" lines. How
>do I differentiate the two different groups? How exactly is the
>external_acl_type line used? Is ldap_group a reserved phrase that has to
>follow external_acl_type? How do I return to squid the group membership
>token for the user?
>
>Thanks for any illumination...
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>[EMAIL PROTECTED]
>
>
>
Re: [squid-users] Fw: squid_ldap_group config
Hello, While I'm not using a Novell LDAP server, here is a snippet from the configuration I have working. Note: KCL uses a SunONE Directory Server. - auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap.komatsu.ca -p 389 -P -b o=komatsu -f "(|(uid=%s)(mail=%s))" auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 minute external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))" refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern .020%4320 # -- # Default Squid ACL's acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 21 acl Safe_ports port 70 acl Safe_ports port 80 acl Safe_ports port 81 acl Safe_ports port 89 acl Safe_ports port 210 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 443 563 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 1025-65535 acl CONNECT method CONNECT # -- # KCL Defined ACL's and http_access definitions. acl kcl_users proxy_auth REQUIRED acl kcl_networks src 192.168.0.0/16 # LDAP group acl definitions. # # Puro acl puro_groups external ldap_group puro puro_a puro_c puro_e puro_f puro_k puro_kr puro_te puro_tr puro_w # # Proxy acl proxy_groups external ldap_group proxy proxy_a proxy_c proxy_e proxy_f proxy_k proxy_kr proxy_te proxy_tr proxy_w # # I left these for individual divisional controls, just in case they are needed. acl proxy_a external ldap_group proxy_a acl proxy_c external ldap_group proxy_c acl proxy_e external ldap_group proxy_e acl proxy_f external ldap_group proxy_f acl proxy_kexternal ldap_group proxy_k acl proxy_kr external ldap_group proxy_kr acl proxy_teexternal ldap_group proxy_te acl proxy_trexternal ldap_group proxy_tr acl proxy_wexternal ldap_group proxy_w http_access allow manager localhost http_access allow manager kcl_networks http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # -- # Note: KCL deny rules must exist before any allow rules. # acl no_kazaa dstdomain .kazaa.com acl no_puretracks dstdomain .puretracks.com http_access deny no_kazaa http_access deny no_puretracks # -- # Puro group allowed list of web sites. # ACLs # acl puro_denharco_com dstdomain .denharco.com acl puro_emeryworld_com dstdomain .emeryworld.com acl puro_emeryworldwide_com dstdomain .emeryworldwide.com acl puro_fedex_com dstdomain .fedex.com acl puro_fleetguard_com dstdomain .fleetguard.com acl puro_hexaware_com dstdomain .hexaware.com acl puro_hrparts_com dstdomain .hrparts.com acl puro_komatsu_co_jp dstdomain .komatsu.co.jp acl puro_komatsu_com dstdomain .komatsu.com acl puro_machinerytrader_com dstdomain .machinerytrader.com acl puro_machinetrader_com dstdomain .machinetrader.com acl puro_mailposte_ca dstdomain .mailposte.ca acl puro_ups_ca dstdomain .ups.ca acl puro_ups_com dstdomain .ups.com # -- # Access enablers # # Group: puro_groups http_access allow kcl_networks puro_groups puro_denharco_com http_access allow kcl_networks puro_groups puro_emeryworld_com http_access allow kcl_networks puro_groups puro_emeryworldwide_com http_access allow kcl_networks puro_groups puro_fedex_com http_access allow kcl_networks puro_groups puro_fleetguard_com http_access allow kcl_networks puro_groups puro_hexaware_com http_access allow kcl_networks puro_groups puro_hrparts_com http_access allow kcl_networks puro_groups puro_komatsu_co_jp http_access allow kcl_networks puro_groups puro_komatsu_com http_access allow kcl_networks puro_groups puro_machinerytrader_com http_access allow kcl_networks puro_groups puro_machinetrader_com http_access allow kcl_networks puro_groups puro_mailposte_ca http_access allow kcl_networks puro_groups puro_ups_ca http_access allow kcl_networks puro_groups puro_ups_com # # -- # Allow all proxy users to all web addresses. # # http_access allow kcl_networks proxy_a # http_access allow kcl_networks proxy_c # http_access allow kcl_networks proxy_e # http_access allow kcl_networks proxy_f # http_access allow kcl_networks proxy_k # http_access allow kcl_networks proxy_k
RE: [squid-users] Fw: squid_ldap_group config
For clarification, I don't use the squid_ldap_group external acl, so I may
be completely off base, but that's never stopped me from giving suggestions
before. :o) All the following advice assumes that you have the arguments
to squid_ldap_group correct.
I think you want to change your external acl lines to something like:
external_acl_type allowed_group %LOGIN /usr/sbin/squid_ldap_group -b
\
-D -w -f
"(&(cn=%v)(groupMembership=cn=))" \
-h ldap.host
external_acl_type denied_group %LOGIN (yadda, yadda)
The second argument to external_acl_type is the title of the external acl,
which you use to reference it when you make a (non external) acl. It's a
bit confusing to be sure, but I certainly can't think of a better way to do
it.
Now that you have your external acls named, set the acl lines up like:
acl Restricted port 20 21 1025-65535 # (no change)
acl allowedGroup external allowed_group
acl deniedGroup external denied_group
Now you can use the acl names "Restricted", "allowedGroup" and "deniedGroup"
to route traffic to the redirectors or whatever. In the next line, I've set
it up such that deniedGroup can't access the restricted ports.
http_access deny deniedGroup Restricted
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 01, 2004 8:57 AM
To: Matt Benjamin
Cc: Adam D. Gorski; [EMAIL PROTECTED]
Subject: Re: [squid-users] Fw: squid_ldap_group config
Hi Matt -
Your solution sounds pretty cool, but my boss is really "pro-vendor"
software and I have won a big point getting squid into our district.
However, he is dead set on keeping Websense as our content filter, and does
not want our internet system to become difficult to support if someone
leaves the department.
If I use the squid_ldap_auth, program, I can only use one group and I am
stuck in an accept/deny internet filtering role. I had this working for a
while, but it does not fit our organization quite right. I stumbled upon
squid_ldap_group and it sounds like it works perfectly, but I am really
confused as to how to use and external_acl_type role, and how to bring this
group information back to squid for potential redirection, ftp filtering or
user denial.
Is there anyone on this list who currently uses squid_ldap_group to
segregate internet traffic permission?
Kelly Connor
Network Technician
Gilbert Unified School District
[EMAIL PROTECTED]
Matt Benjamin
<[EMAIL PROTECTED]
m> To
[EMAIL PROTECTED]
12/01/2004 10:39 cc
AM[EMAIL PROTECTED], "Adam
D. Gorski" <[EMAIL PROTECTED]>
Subject
Re: [squid-users] Fw:
squid_ldap_group config
Kelly,
The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
the authors will step forward and show how you set up the two distinct
external auth mechanisms it appears you need in order for Squid to a)
authenticate to LDAP b) do the group check.
However, our solution (which resembles that used in a commercial K12
proxy solution which I shall not name), is as follows:
1. We use one external authenticator, the squid_ldap_auth program
2. All traffic is sent to a customized Squidguard redirect_program--our
version combines a bunch of extant modifications, including LDAP
group-based ACLs, and a modified logging feature used to drive reporting
3. Any sort of authorization rule, including one forbidding specific
users/groups to visit FTP urls, would happen here. For example, your
source group might be "kids," and the destination group anything
matching an "^ftp://"; regex.
We have some tweaks to Webmin, a real-time log parser, and reporting
tool we're releasing, that organize all this.
Matt
[EMAIL PROTECTED] wrote:
>
>Hi all,
>
>I hope this has not been addressed anywhere in the mailing lists. I did a
>search
Re: [squid-users] Fw: squid_ldap_group config
Hello Kelly, From the man page for squid_ldap_group: - -f filter LDAP search filter used to search the LDAP directory for any matching group memberships. In the filter %u will be replaced by the user login name (or DN if the -F or -u options are used) and %g by the requested group name. -F filter LDAP search filter used to search the LDAP directory for any matching users. In the filter %s will be replaced by the user login name. If % is to be included literally in the filter then use %%. - The lower case dash f, "-f", is a filter used to match group records from your LDAP database. The upper cas dash F, "-F", is a filter used to match user records from your LDAP database. As for the definition I defined and used here at KCL, I allow two different styles of user name recognition when replying to a proxy challenge. One is by the user's identifier (UID) the other is by the user's E-Mail address. - external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))" - If your LDAP schema uses a different tag for the user identifier than "uid", you may want to consider using the "-F" option. Hope this helps. Sorry for the delayed reply. Last week became quite busy... Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- [EMAIL PROTECTED] wrote: Hi Tim - Looking over what you sent me, I have made a few changes. First, I have taken port 21 out of Safe_ports, since I don't want free access to FTP downloads. What is going on in your squid_ldap_auth line? what is the difference between "-F" and "-f"? the man page does not even mention -F. I have modified my set thus far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b ou=techsvc,o=gps -D cn=squid,ou=global,o=gps -w -f "(&(cn=%s)(groupMembership=cn=RestrictedInternetAccess,ou=techsvc,o=gps))" -h FS-GPS1.GPS acl Restricted port 20 21 1025-65535 acl RestrictedUsers external ldap_group RestrictedInternetAccess acl OpenUsers external ldap_group InternetAccess http_access allow Restricted OpenUsers http_access deny !Safe_ports Am I doing something wrong with the external_acl_type line? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
On Wed, 1 Dec 2004 [EMAIL PROTECTED] wrote: I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. Start with setting up squid_ldap_auth WIHTOUT any group restrictions. Then loog into configuring squid_ldap_group. You need both. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host This is almost correct, but the group search filter should look for both the username and the group name, neither hardcoded. The group name is then specified in the acl. Usually thinks looks something like the following: auth_param basic program /path/to/squid_ldap_auth -f "(&(uid=%s)(objectClass=person))" -b dc=yourcompany,dc=com -h your.ldap.server external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group -F "(&(uid=%s)(objectClass=person))" -f "(&(member=%u)(cn=%g))" -b dc=yourcompany,dc=com -h your.ldap.server acl ldap_group_1 external ldap_group groupname1 acl ldap_group_2 external ldap_group groupname2 ... then ldap_group_1 and ldap_group_2 is used in your http_access rules as required to authorize users access to the proxy. in the above uid=%s is assuming users are identified by their uid attribute in your LDAP directory, and cn=%g that groups are identified by their CN, and that the base DN of your LDAP tree is dc=yourcompany,dc=com Regards Henrik
