LDAP acl groups

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LDAP acl groups

Leonardo Bacha Abrantes
Hi guys,

I have an active directory running on windows server 2008 r2 and squid (version 3.5.20 - CentOS 7) authenticating via LDAP (without kerberos). 
The ldap authentication is working, the trouble is to create ACLs based on active directory groups.


OBS: When I run both basic_ldap_auth and ext_ldap_group_acl commands manually as squid user in console to test, I receive 'OK' as answer.


--->>> My squid.conf:

auth_param basic program /usr/lib64/squid/basic_ldap_auth -P -R -b ou=Users,ou=city,ou=country,dc=company,dc=local -D CN=bindUser,DC=company,DC=local -W PasswdFile -f sAMAccountName=%s -h 192.168.1.9
auth_param basic children 10
auth_param basic realm XXXXX
auth_param basic credentialsttl 10 minutes

external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=city,OU=country,DC=company,DC=local -D CN=bindUser,DC=company,DC=local -W PasswdFile -h 192.168.1.9 -f '(&(objectClass=person)(sAMAccountName=%v)(memberOf=CN=%a,OU=Groups,OU=city,OU=country,dc=company,dc=local))'

#Also tried memberOf=CN=%g

acl fullaccess  external memberof squid_fullaccess

acl LdapUsers proxy_auth REQUIRED
http_access allow fullaccess LdapUsers

###

When I try to authenticate on proxy it still prompting for user/password and any ldap query was done in domain controller looking to check if user is member of squid_fullaccess group.


Can you give me some help please ?

Many thanks!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP acl groups

Amos Jeffries
Administrator
On 26/01/2017 4:28 a.m., Leonardo Bacha Abrantes wrote:

> Hi guys,
>
> I have an active directory running on windows server 2008 r2 and squid
> (version 3.5.20 - CentOS 7) authenticating via LDAP (without kerberos).
> The ldap authentication is working, the trouble is to create ACLs based on
> active directory groups.
>
>
> OBS: When I run both basic_ldap_auth and ext_ldap_group_acl commands
> manually as squid user in console to test, I receive 'OK' as answer.
>
>
> --->>> My squid.conf:
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -P -R -b
> ou=Users,ou=city,ou=country,dc=company,dc=local -D
> CN=bindUser,DC=company,DC=local -W PasswdFile -f sAMAccountName=%s -h
> 192.168.1.9
> auth_param basic children 10
> auth_param basic realm XXXXX
> auth_param basic credentialsttl 10 minutes
>
> external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R
> -b OU=city,OU=country,DC=company,DC=local -D
> CN=bindUser,DC=company,DC=local -W PasswdFile -h 192.168.1.9 -f
> '(&(objectClass=person)(sAMAccountName=%v)(memberOf=CN=%a,OU=Groups,OU=city,OU=country,dc=company,dc=local))'
>
> #Also tried memberOf=CN=%*g*
>
> acl fullaccess  external memberof squid_fullaccess
>
> acl LdapUsers proxy_auth REQUIRED
> http_access allow fullaccess LdapUsers


Two things that you really NEED to know:

1) Order is important.
<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>

So the http_access line you are using tells Squid to check the group and
only for members of the group is authentication to be performed.

How exactly do you expect Squid to know what user to check the groups
for *before* authentication has happened?


2) the popup is a browser decision.

All Squid is doing is telling the browser that credentials are needed to
use the proxy, and what types it can accept. If the browser were
properly doing its SSO the popup would not happen. There is nothing we
can do about that.


What you should do is deny non-authenticated users and only then check
the groups for people who have authenticated:

 http_access deny !LdapUsers
 http_access allow fullaccess

If the popup still occurs, then consder whether the browser was supposed
to have the right credentials to begin with (ie. registered to the AD
domin controller). If it does why is it not sending them instead of
doing the popup.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...