Simple ACL help for Kerberos authenticated sessions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Simple ACL help for Kerberos authenticated sessions

Markus Moeller
Hi,

    When using the latest squid 4 release you can use  %note{group} to get
the group information from the Negotiate Kerberos helper to transfer the PAC
group SIDs to the external ACL helper.

squid.conf

...
external_acl_type test_acl ipv4 %LOGIN %note{group}
/opt/squid-trunk/sbin/test_acl
acl squid_allow external test_acl
...

The helper script will initially look for the objectsid of the group
SQUID_ALLOW (i.e. it will be only called when the helper is started and
never again - good for performance).  After that the SIDs from the Kerberos
PAC information is compared with the previously retrieved SID from AD.


#!/bin/bash
#
# GET SID for Group
#
export KRB5CCNAME=/tmp/squid_krb5cc
kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home
SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b
"DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0
~/^object/ ) print $2}'`

(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID")

#
# Loop over input
#
while [ 1 == 1 ] ; do
  read input
  found=0
  user=`echo $input | awk '{ print $1 }'`
  groups=`echo $input | awk '{ print $2 }'`
  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user")
  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups")
  if [ -n "$groups" ]; then
    while read group; do
      if [ "$group" == "$SID" ]; then
        (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group:
$group")
        found=1
        echo "OK"
      fi
    done <<< "$(echo $groups | tr , "\n" )"
    if [ $found -eq 0 ]; then
      echo "ERR"
    fi
  else
    if [ $found -eq 0 ]; then
      echo "ERR"
    fi
  fi
done

Example log from the cache.log file


2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl'
processes
2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed.
2017/08/08 20:02:23 kid1| Starting new test_acl helpers...
2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl'
processes
2017/08/08 20:02:24| test_ACL: SID=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: user=[hidden email]
2017/08/08 20:02:24| test_ACL:
groups=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVCAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVPAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBwIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBgIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVAAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group:
AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==


Regards
Markus


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users