On Tue, Aug 30, 2016 at 4:05 AM, alberto <[email protected]> wrote:
> Hi all, > I have a squid3 installation with kerberos ldap groups authentication. > Everything works like a charm except for one of my user that belongs to > too many groups (more than 50): this user can not browse any site because > of authentication problem. > I always see TCP_DENIED/407 in the squid log file for that user. > > Is there a parameter that I can change in the squid.conf file to increase > the number of groups allowed during authentication? > FYI I'm on Debian Jessie and using this kerberos configuration > > if you are using group membership authorization purely to allow/deny access globally (rather than for specific sites), you can tweak your filter to accomplish that... > ====squid.conf snippet======= > [snip] > ################# Basic Auth ######################## > auth_param basic program /usr/lib/squid3/basic_ldap_auth -D > [email protected] -W /etc/squid3/ldappwd.txt -h "example.lcl" -b > "OU=root,DC=EXAMPLE,DC=LCL" -s sub -f (&(objectClass=Person)( > sAMAccountName=%s)) > this filter (after "-f") could be tweaked like this: (&(objectClass=Person)(sAMAccountName=%s)(|(memberOf=CN=group1,OU=somewhere,dc=EXAMPLE,dc=LCL)(memberOf=CN=group2,OU=somewhere,dc=EXAMPLE,dc=LCL)) That would allow the user to login if they are member of either group. (that syntax/schema is for AD, feel free to adjust as needed)
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
