> On 6 Oct 2022, at 03:40, Amos Jeffries <squ...@treenet.co.nz> wrote:
>
> On 6/10/22 02:29, Djerk Geurts wrote:
>> Hi,
>> I’ve got DLAP auth working against FreeIPA, but now I’m trying to get LDAP
>> group all controls working. Initially I used the local unix group filter,
>> which works great as the machine running Squid is able to query group
>> membership through pam. But then I found that nested group membership didn’t
>> work. So now I’m trying to query group membership via LDAP and failing
>> miserably.
>> My config:
>> auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b
>> "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D
>> "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W
>> "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636
>> <ldaps://ipa.domain.com:636>
>> […]
>
> To clarify, does the above description mean login with this helper works fine?
Yes, normal logins work fine if I don’t use the group filtering in http_access
> > -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" \
> > -f "(&(cn=%g)(member=uid=%u))" \
> > ...
>
> You can add '-d' (lower case) to get a debug trace in cache.log about what is
> happening inside the helper.
Thank you, I’d seen the flag just not where the logs would end up and of course
checked all but cache.log…
> You can use that to confirm the user/group details are arriving properly and
> the filter string is correct before it goes sent to LDAP.
>
> Also, see whether LDAP is having connectivity issues, or search issues, or
> something else is going on.
>
> FWIW, the above reads to me like you are looking up the existence of the
> group rather than the existence of a specific user within a group. My LDAP
> knowledge is weak, so I may be wrong about that.
Yeah, I’ve been wondering this too and my LDAP knowledge is quite poor. And it
turns out that you're absolutely right.
>
>> This ldap search works fine:
>> user@ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b
>> "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'
>
> I notice that there is an extra ',*' after the username in this filter string
> which is missing on the helper one.
The ldapsearch works fine with and without it. The ,* is meant to match the
rest of the DN but I think isn’t needed. I could be very wrong though. In hind
sight, comparing the search results I now see that my first query returns a
list of group members, but the correct query returns all user details if the
user is a member of the given group.
>
>> So how am I meant to set the filter of ext_ldap_group_acl?
>
> FYI, what the Squid helpers do is replace the %g and %u values and pass the
> resulting string as the 'filter' to LDAP.
>
> Meaning that the filter used by Squid should be the same as the ldapsearch
> filter would be if you were searching for username "%u" in group "%g".
Thank you! This plus a little more Googling has yielded the following search
string and ldap_group config which works (even for nested groups):
## IPA groups via LDAP
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -d \
-b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" \
-D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" \
-W "/etc/squid/squid-ldap.cred" \
-f
"(&(objectclass=person)(uid=%u)(memberOf=cn=%g,cn=groups,cn=accounts,dc=DOMAIN,dc=COM))"
\
-H LDAPS://ipa.domain.com:636
I also found that the credentials file I’m using had the wrong permissions. It
hadn’t shown up earlier as anonymous bind was enabled previously. Interesting
that logging when using `-d` on the auth plugins only gets put into cache.log
and not the Journal.
--
Thank you,
Djerk
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
