Rafael,
Thanks for your reply. Substituting userPrincipalName for sAMAccountName in
both the command line and squid.conf produces an ERR:
/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D
sq...@example.com -W /etc/squid/password -f
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%g,ou=Some
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com Full.Access
ERR
cat /etc/squid/squid.conf | grep userPrin
external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b
"dc=example,dc=com" -D sq...@example.com -W /etc/squid/password -f
"(&(objectclass=person)(userPrincipalName=$)(memberof=cn=%g,ou=Some
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
cache.log:
2016/04/05 17:45:24.190| authenticateAuthUserAddIp: user
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:57445)
2016/04/05 17:45:24.190| aclMatchExternal: memberof("tcradd...@example.com
Full.Access") = lookup needed
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access":
entry=@0, age=0
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access":
queueing a call.
2016/04/05 17:45:24.190| aclMatchExternal: "tcradd...@example.com Full.Access":
return -1.
2016/04/05 17:45:24.190| externalAclLookup: lookup in 'memberof' for
'tcradd...@example.com Full.Access'
2016/04/05 17:45:24.196| externalAclHandleReply: reply="ERR"
2016/04/05 17:45:24.196| external_acl_cache_add: Adding 'tcradd...@example.com
Full.Access' = 0
2016/04/05 17:45:24.196| aclMatchExternal: memberof = 0
[cid:E16BB7E4-AAA7-4D07-803E-E39F6201D081]
Tommy E CRADDOCK JR
Systems Admin
BIC Advertising & Promotional Products
14421 Myer Lake Circle
Clearwater, FL 33760
727-507-3080
tommy.cradd...@bicgraphic.com
www.bicgraphic.com<http://www.bicgraphic.com/>
[cid:37DF6999-C959-46F8-BA13-A4CFA37F691F]
CONFIDENTIALITY NOTICE
This electronic message is confidential and may contain legally privileged
information intended only for the use of the individual or company named above.
If the reader of this message is not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are hereby
notified
that any dissemination, distribution or copying of this communications is
strictly prohibited. If you have received this communication in error, please
immediately
notify us by telephone, and return the original message to us at the address
above
From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com]
Sent: Tuesday, April 05, 2016 5:25 PM
To: Craddock, Tommy; squid-users@lists.squid-cache.org
Subject: RE: External ACL Lookup
Hello Tommy,
Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP
filter.
The squid logs indicate the user is authenticated as
tcradd...@example.com<mailto:tcradd...@example.com> which is *not* in
sAMAccountName for sure.
Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
--
Please take a look at Web Safety - our ICAP based web filter server for Squid
proxy at http://www.diladele.com.
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf
Of Craddock, Tommy
Sent: Tuesday, April 5, 2016 11:16 PM
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] External ACL Lookup
Hello,
Trying to use an external ACL helper to do a lookup of my user in a group in a
Windows AD. I can test from the command line:
/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D
sq...@example.com<mailto:sq...@example.com> -W /etc/squid/password -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some
Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcradd...@example.com<mailto:tcradd...@example.com> Full.Access
OK
In the cache.log w/debug set to ALL,3:
2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
GETTING KERB TOKEN.....
...
2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user
'tcradd...@example.com' has been seen at a new IP address (172.23.5.193:56059)
2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcradd...@example.com
Full.Access<mailto:tcradd...@example.com%20Full.Access>") = lookup needed
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com
Full.Access<mailto:tcradd...@example.com%20Full.Access>": entry=@0, age=0
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com
Full.Access<mailto:tcradd...@example.com%20Full.Access>": queueing a call.
2016/04/05 16:54:39.780| aclMatchExternal: "tcradd...@example.com
Full.Access<mailto:tcradd...@example.com%20Full.Access>": return -1.
2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for
'tcradd...@example.com Full.Access'
2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"
2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcradd...@example.com
Full.Access' = 0
2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0
In the file referenced in the ACLs:
acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt"
acl FullAccess external memberof "/etc/squid/full_access.txt"
it has:
cat /etc/squid/full_access.txt
Full.Access
cat /etc/squid/restricted_access.txt
Restricted.Access
Im not sure why the logs show my user is getting ERR as the response to group
checking, when I run it from the command line, I get an OK.
Info about my setup:
[root@clwslprox01p squid]# squid -v
Squid Cache: Version 3.1.23
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-internal-dns'
'--disable-strict-error-checking' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-arp-acl' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
'--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2'
'--enable-esi' '--enable-http-violations' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23
[root@clwslprox01p squid]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)
Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external
helpers to do group lookups to a Windows AD. Windows AD is 2008 and 2012 in my
env.
Squid.conf:
### cache manager
cache_mgr pc...@example.com<mailto:pc...@example.com>
#Define the cache_peer to be used
# cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query
no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query
no-digest
cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query
no-digest
# cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query
no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query
no-digest
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access -kerberos
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--require-membership-of=EXAMPLE\\Full.Access
auth_param ntlm children 30
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via
kerberos/ntlm
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"dc=example,dc=com" -D sq...@example.com<mailto:sq...@example.com> -W
/etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b
"dc=example,dc=com" -D sq...@example.com<mailto:sq...@example.com> -W
/etc/squid/.ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some
Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM
### acl for proxy auth and ldap authorizations
acl our_networks src 172.16.0.0/12 10.0.0.0/8 192.170.0.0/24
acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8
acl auth proxy_auth REQUIRED
acl HEAD method HEAD
acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt"
acl FullAccess external memberof "/etc/squid/full_access.txt"
acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt"
acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt"
acl local-servers dstdomain "/etc/squid/acls/localservers.txt"
acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt"
acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt"
acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt"
acl blocksites dstdomain "/etc/squid/acls/block_sites.txt"
acl DIRECT src "/etc/squid/acls/direct_src_ip.txt"
acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt"
acl Smartconnect dstdomain ned.webscanningservice.com
acl Java browser Java/[0-9]
acl JavaSites dstdomain .gotomeeting.com
always_direct allow INTERNAL
always_direct allow local-servers
cache deny INTERNAL
cache deny local-servers
### squid defaults
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 563 33808
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#allow custom ports
acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24
66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21
67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22
acl Safe_ports port 8200 # gotomeeting
acl Safe_ports port 31303 33808 # TD Merchant
acl Safe_ports port 8443 # Symantec SEP Manager
acl Safe_ports port 8014 # Symantec SEPM Client
acl SSL_ports port 9443 # pingdevfed
acl SSL_ports port 9444 # pingdevfed
acl SSL_ports port 5443 # pingdev
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny !memberof
http_access allow localhost
http_access allow HEAD
http_access deny !our_networks
http_access allow Smartconnect
http_access deny blocksites all
http_access allow Approved_Domains
http_access deny RestrictedHost all
http_access allow FullAccess auth
http_access allow Java
http_access allow WindowsUpdate
http_access allow bypass_auth
http_access allow bypass_auth-external
http_access allow goto_meeting
http_access allow our_networks all
http_access allow Java our_networks JavaSites
http_access allow auth
http_access deny !auth
http_access deny all
deny_info error-blocksites blocksites
#Logs to look like apache
emulate_httpd_log on
#Level of Log debugging
debug_options ALL,1
#Log file locations
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log
useragent_log /var/log/squid/useragent.log
#Hostname shown in error pages
visible_hostname proxy01p
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
CONFIDENTIALITY NOTICE
This electronic message is confidential and may contain legally privileged
information intended only for the use of the individual or company named above.
If the reader of this message is not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are hereby
notified
that any dissemination, distribution or copying of this communications is
strictly prohibited. If you have received this communication in error, please
immediately
notify us by telephone, and return the original message to us at the address
above
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
