Hello,
I have Squid running here at Komatsu Canada with basic LDAP authentication against a SunONE directory server. My Squid host is a RedHat 9.0 (Linux 2.4) on a Dell PowerEdge 1650. The Squid version is the default shipped with RedHat 9.0.
I need to get the LDAP group support enabled. I've read through as much documentation as I can without my pea-brain exploding, but I keep getting the following error.
squid (pid 6251 6249) is running... 20040112 15:04:09| _*squid.conf line 83: acl kclit_grp ldap_group kclit*_ 20040112 15:04:09| _*aclParseAcleLine: Invalid ACL type 'ldap_group'*_ 20040112 15:04:09| squid.conf line 85: http_access allow kclit_ncd kclit_grp 20040112 15:04:09| aclParseAccessLine: ACL name 'kclit_grp' not found.
The error on line 85 I understand is due to the error on line 83. My santitized configuration file is:
/etc/squid/squid.conf ================================================================================= # ---------------------------------------------------------------------- http_port 142.230.9.19:80 http_port 192.168.2.250:8888
# ---------------------------------------------------------------------- hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log
cache_mgr [EMAIL PROTECTED] # ---------------------------------------------------------------------- auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap_server.komcdn.ca -p 489 -P -b o=kc -f "uid=%s"
auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
*external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap_server.komcdn.ca -p 489 -P -b o=kc -f "(&(cn=%g)(uniquemember=uid=%u,*)(objectClass=groupOfUniqueNames))" * refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320
# ---------------------------------------------------------------------- acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 81 # Alternate http port. acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 443 563 # https, snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT
http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports
# ---------------------------------------------------------------------- # Note: KCL deny rules must exist before any allow rules. # acl no_kazaa dstdomain .kazaa.com acl no_puretracks dstdomain .puretracks.com acl no_uproar dstdomain .uproar.com acl no_ncd dstdomain .ncd.com
http_access deny no_kazaa http_access deny no_puretracks http_access deny no_uproar # # block the test domain from all users. http_access deny no_ncd
# ---------------------------------------------------------------------- # KCL Defined ACL's and http_access definitions. acl kc_networks src 192.168.2.0/8 acl kc_users proxy_auth REQUIRED acl dmz_networks src 142.230.9.17/28
# allow only this test domain for IT test group acl kcit_ncd dstdomain .ncd.com
*acl kcit_grp ldap_group kcit*
*http_access allow kcit_ncd kcit_grp *http_access allow kc_networks kc_users
# ---------------------------------------------------------------------- http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all
# ---------------------------------------------------------------------- httpd_accel_host dmz_host.kc.ca httpd_accel_port 8000 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header on
# ---------------------------------------------------------------------- coredump_dir /var/spool/squid =================================================================================
If you count the lines in the file above, the count will not reflect the lines listed in the error message. I have removed some acl definitions that are for Komatsu Canada only. IP and port numbers are changed to perserve security.
I've tested the ldap filters defined for the squid_ldap_group plug-in. I tested the filter with SunONE's ldapsearch command. I get an expected results for positive and negative queries. The Linux host can access the LDAP server. The auth_param defined logic does work. My users are getting challenged and appropriately authenticated.
Does anyone know if the "external_acl_type" directive works with Squid 2.5.STABLE1? Am I pissing in the wind here. Does anyone have it working? I read that some are trying to use squid_ldap_group in the user lists, but I do not sense too much success. (Note, the man page in RedHat 9.0 for squid_ldap_group sucks. It is too terse. And, it has typo's. "gorup"???)
Any help would be greatly appreciated.
Thanks.
Tim
-- ---------------------------------------------------------------------- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x265 1725B Sismet Road Fax: 905-625-6348 Mississauga, Ontario, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 ----------------------------------------------------------------------
