Hello Tommy, Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP filter. The squid logs indicate the user is authenticated as tcradd...@example.com<mailto:tcradd...@example.com> which is *not* in sAMAccountName for sure.
Best regards, Rafael Akchurin Diladele B.V. http://www.quintolabs.com http://www.diladele.com -- Please take a look at Web Safety - our ICAP based web filter server for Squid proxy at http://www.diladele.com. From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Craddock, Tommy Sent: Tuesday, April 5, 2016 11:16 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] External ACL Lookup Hello, Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD. I can test from the command line: /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D sq...@example.com<mailto:sq...@example.com> -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com tcradd...@example.com<mailto:tcradd...@example.com> Full.Access OK In the cache.log w/debug set to ALL,3: 2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0) GETTING KERB TOKEN..... ... 2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:56059) 2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcradd...@example.com Full.Access<mailto:tcradd...@example.com%20Full.Access>") = lookup needed 2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access<mailto:tcradd...@example.com%20Full.Access>": entry=@0, age=0 2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access<mailto:tcradd...@example.com%20Full.Access>": queueing a call. 2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com Full.Access<mailto:tcradd...@example.com%20Full.Access>": return -1. 2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcradd...@example.com Full.Access' 2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR" 2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcradd...@example.com Full.Access' = 0 2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0 In the file referenced in the ACLs: acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" acl FullAccess external memberof "/etc/squid/full_access.txt" it has: cat /etc/squid/full_access.txt Full.Access cat /etc/squid/restricted_access.txt Restricted.Access Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK. Info about my setup: [root@clwslprox01p squid]# squid -v Squid Cache: Version 3.1.23 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23 [root@clwslprox01p squid]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago) Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD. Windows AD is 2008 and 2012 in my env. Squid.conf: ### cache manager cache_mgr pc...@example.com<mailto:pc...@example.com> #Define the cache_peer to be used # cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest # cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access -kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access auth_param ntlm children 30 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D sq...@example.com<mailto:sq...@example.com> -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D sq...@example.com<mailto:sq...@example.com> -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM ### acl for proxy auth and ldap authorizations acl our_networks src 172.16.0.0/12 10.0.0.0/8 192.170.0.0/24 acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8 acl auth proxy_auth REQUIRED acl HEAD method HEAD acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" acl FullAccess external memberof "/etc/squid/full_access.txt" acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt" acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt" acl local-servers dstdomain "/etc/squid/acls/localservers.txt" acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt" acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt" acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt" acl blocksites dstdomain "/etc/squid/acls/block_sites.txt" acl DIRECT src "/etc/squid/acls/direct_src_ip.txt" acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt" acl Smartconnect dstdomain ned.webscanningservice.com acl Java browser Java/[0-9] acl JavaSites dstdomain .gotomeeting.com always_direct allow INTERNAL always_direct allow local-servers cache deny INTERNAL cache deny local-servers ### squid defaults acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 563 33808 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http #allow custom ports acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 acl Safe_ports port 8200 # gotomeeting acl Safe_ports port 31303 33808 # TD Merchant acl Safe_ports port 8443 # Symantec SEP Manager acl Safe_ports port 8014 # Symantec SEPM Client acl SSL_ports port 9443 # pingdevfed acl SSL_ports port 9444 # pingdevfed acl SSL_ports port 5443 # pingdev acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access deny !memberof http_access allow localhost http_access allow HEAD http_access deny !our_networks http_access allow Smartconnect http_access deny blocksites all http_access allow Approved_Domains http_access deny RestrictedHost all http_access allow FullAccess auth http_access allow Java http_access allow WindowsUpdate http_access allow bypass_auth http_access allow bypass_auth-external http_access allow goto_meeting http_access allow our_networks all http_access allow Java our_networks JavaSites http_access allow auth http_access deny !auth http_access deny all deny_info error-blocksites blocksites #Logs to look like apache emulate_httpd_log on #Level of Log debugging debug_options ALL,1 #Log file locations cache_log /var/log/squid/cache.log access_log /var/log/squid/access.log useragent_log /var/log/squid/useragent.log #Hostname shown in error pages visible_hostname proxy01p http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 CONFIDENTIALITY NOTICE This electronic message is confidential and may contain legally privileged information intended only for the use of the individual or company named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communications is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone, and return the original message to us at the address above ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
