[squid-users] Simple ACL help for Kerberos authenticated sessions

Tue, 08 Aug 2017 12:12:37 -0700 

Hi,
When using the latest squid 4 release you can use %note{group} to get the group information from the Negotiate Kerberos helper to transfer the PAC group SIDs to the external ACL helper. 

squid.conf

...

external_acl_type test_acl ipv4 %LOGIN %note{group} 
/opt/squid-trunk/sbin/test_acl

acl squid_allow external test_acl
...


The helper script will initially look for the objectsid of the group 
SQUID_ALLOW (i.e. it will be only called when the helper is started and 
never again - good for performance).  After that the SIDs from the Kerberos 
PAC information is compared with the previously retrieved SID from AD.



#!/bin/bash
#
# GET SID for Group
#
export KRB5CCNAME=/tmp/squid_krb5cc
kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home

SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b 
"DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0 
~/^object/ ) print $2}'`


(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID")

#
# Loop over input
#
while [ 1 == 1 ] ; do
 read input
 found=0
 user=`echo $input | awk '{ print $1 }'`
 groups=`echo $input | awk '{ print $2 }'`
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user")
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups")
 if [ -n "$groups" ]; then
   while read group; do
     if [ "$group" == "$SID" ]; then

       (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group: 
$group")

       found=1
       echo "OK"
     fi
   done <<< "$(echo $groups | tr , "\n" )"
   if [ $found -eq 0 ]; then
     echo "ERR"
   fi
 else
   if [ $found -eq 0 ]; then
     echo "ERR"
   fi
 fi
done

Example log from the cache.log file



2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl' 
processes

2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed.
2017/08/08 20:02:23 kid1| Starting new test_acl helpers...

2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl' 
processes

2017/08/08 20:02:24| test_ACL: SID=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: user=administra...@samba.home

2017/08/08 20:02:24| test_ACL: 
groups=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVCAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVPAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBwIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBgIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVAAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group: 
AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==



Regards

Markus 



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users














    











					Reply via email to