Dear Squid Support Team,
I am currently configuring Squid to use Kerberos authentication with Active
Directory (AD) group-based access control, but I am encountering an issue where
the ACLs for AD groups are not being applied correctly. Below are the details
of my setup and the challenges I am facing:
Setup Details:
1.
Kerberos:
* Kerberos authentication is working successfully.
* The service principal and keytab are correctly configured, and the
kinit command works as expected.
2.
LDAP:
* LDAP connectivity is functional. I can successfully query the Active
Directory using ldapsearch:
ldapsearch -x -H ldap://172.16.10.254 -D
"CN=Administrator,CN=Users,DC=demo,DC=local" -w Passw0rd -b "DC=demo,DC=local"
"(sAMAccountName=jon.jones)"
* The output includes the correct memberof attributes showing the user's
group memberships.
3.
Squid Configuration:
I have configured Squid for LDAP group-based access control as follows:
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R \
-b "DC=demo,DC=local" \
-D "CN=Administrator,CN=Users,DC=demo,DC=local" \
-w Passw0rd \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))"
\
-h 172.16.10.254
acl FullAccess external ldap_group FullAccess
acl Restricted external ldap_group Restricted
acl Filtered external ldap_group Filtered
acl Blocked external ldap_group Blocked
http_access deny Blocked
http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all
4.
What Works:
* Kerberos authentication is functioning as expected.
* The ext_ldap_group_acl utility works correctly when tested manually:
echo "jon.jones FullAccess" | /usr/lib/squid/ext_ldap_group_acl -R \
-b "DC=demo,DC=local" \
-D "CN=Administrator,CN=Users,DC=demo,DC=local" \
-w Passw0rd \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))"
\
-h 172.16.10.254
The output returns OK, indicating that the LDAP group membership is correctly
validated.
5.
The Problem:
* When users authenticate via Kerberos, the Squid ACLs based on AD
groups are not being matched.
* All users fall into the default http_access deny all rule, even if
they belong to a permitted AD group.
6.
Log Example:
In the cache.log file, I see the following entries:
WARNING: external_acl_type 'ldap_group' queue overload
...
Checklist.cc answer DENIED for match
...
setAuth: WARNING: Graceful closure on conn due to connection-auth erase from
ConnStateData::SwanSong cleanup
Request for Assistance:
* How can I ensure that Squid properly applies AD group-based ACLs when
users authenticate via Kerberos?
* Are there specific configurations or known limitations for combining
Kerberos authentication with LDAP group validation in Squid?
I would greatly appreciate any guidance or suggestions to resolve this issue.
If additional logs or details are needed, please let me know.
Thank you for your support!
Best regards,
Enfal gok
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
