kerb auth groups KV note acl config

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

kerb auth groups KV note acl config

Mike Surcouf
Outputting the groups as KV pairs in AD environments  on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
Is there any docs on how to set this up?
Even looking at the source I can't seem to work it out.
I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.

From what I can see I need to setup a note acl but I am unsure of the key names etc.

A short example would be great.

Thanks

Mike
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Mike Surcouf
@Markus

I would really like to give this a go.
Good to get some people using this stuff

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Mike Surcouf
Sent: 07 March 2017 15:21
To: '[hidden email]'
Subject: [squid-users] kerb auth groups KV note acl config

Outputting the groups as KV pairs in AD environments  on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
Is there any docs on how to set this up?
Even looking at the source I can't seem to work it out.
I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.

From what I can see I need to setup a note acl but I am unsure of the key names etc.

A short example would be great.

Thanks

Mike
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Mike Surcouf
In reply to this post by Mike Surcouf
This is bulleted as a new feature for v4.
Yet there is no way to test this without a quick reply letting me know the basic usage.
Anyone  got a snippet on how this is setup

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Mike Surcouf
Sent: 07 March 2017 15:21
To: '[hidden email]'
Subject: [squid-users] kerb auth groups KV note acl config

Outputting the groups as KV pairs in AD environments  on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
Is there any docs on how to set this up?
Even looking at the source I can't seem to work it out.
I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.

From what I can see I need to setup a note acl but I am unsure of the key names etc.

A short example would be great.

Thanks

Mike
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Amos Jeffries
Administrator
On 15/03/2017 10:18 p.m., Mike Surcouf wrote:
> This is bulleted as a new feature for v4.
> Yet there is no way to test this without a quick reply letting me know the basic usage.
> Anyone  got a snippet on how this is setup
>

[ For TL;DR skip to the end of this mail. All this is first block is
just describing how it works. ]


This should be doable with Squid-3.4+ or at least 3.5. It requires only
the note ACL in squid plus a helper that sends group= response annotations.

It is marked as v4 becasue that is where the first helper with such
support is bundled. You can run that helper with older Squid, for
example by downloading Markus lastest release and building your own helper.


An auth helper which supports it does not needs anything configured by
you. It will "just work" (or not if it lacks annotation support). That
part is just a matter of finding out / ensuring your auth helper
provides the group kv-pairs. The usual command-line tests can probably
show that.

The auth helper by Markus should be producing a set of group=X
annotations automatically, one for each group the user is a member of.
Where the X is what AD calls a "SID" value representing a unique ID for
each group.


After those are received by Squid the note ACL type can be used in
squid.conf to match any of them quickly without an external helper
lookup for the group details. That enables reliable group ACLs anywhere
in squid.conf where they were previously at the mercy of external helper
result timeouts.


In absence of that input from the auth helper, an external_acl_type
helper or *any* helper really :-) can also send the same annotations to
Squid - with the same note ACL config later.

In its current form this is obviously most useful if you know the SID
that group names map to and can configure the note ACL appropriately. I
am hopeful that other helpers may be able to produce named groups or
such. But the values are likely to be specific to whatever the auth
system can provide.


For group lookup and comparison by name (the 'old' way) you can still
use an external helper. As I understand it AD requires two lookups; one
to find the users SID memberships and one to find the group name->SID
mapping for the group(s) being checked - then compare. The first is not
needed if the SID (%note{group}) is passed to the helper instead of
username (%LOGIN).
 This part does require v4, and has not been much tested to see where
the %note format code works for external_acl_type helpers (and where
not). YMMV.

IIRC Markus was waiting on support for %note{group} format code on
external_acl_type config lines. But that happened a long while back now.



> -----Original Message-----
> From: Mike Surcouf
>
> Outputting the groups as KV pairs in AD environments  on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
> Is there any docs on how to set this up?
> Even looking at the source I can't seem to work it out.
> I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.
>
> From what I can see I need to setup a note acl but I am unsure of the key names etc.

Correct. The key name is "group" ;-)


>
> A short example would be great.
>

As far as I am aware it should look like this:

  acl blah note group SID-12345-762576257263
  request_max_size 1 MB blah

Maybe also the -m flag on the ACL definition if recent changes merged
the group notes into a list.

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Mike Surcouf
@Amos

Thanks for this

so to recap if I currently have

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive on

external_acl_type InternetAccessBanking %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -u ldaps://aesdc02.surcouf.local:636 -b cn=SSSUsers,dc=surcouf,dc=local  -g InternetAccessBanking

I could replace it by

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive

acl InternetAccessBanking note group S-1-5-21-123456789-123456789-123456789-1234


Note where S-1-5-21-123456789-123456789-123456789-1234 is the SID for the group InternetAccessBanking


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: 16 March 2017 09:24
To: [hidden email]
Subject: Re: [squid-users] kerb auth groups KV note acl config

On 15/03/2017 10:18 p.m., Mike Surcouf wrote:
> This is bulleted as a new feature for v4.
> Yet there is no way to test this without a quick reply letting me know the basic usage.
> Anyone  got a snippet on how this is setup
>

[ For TL;DR skip to the end of this mail. All this is first block is
just describing how it works. ]


This should be doable with Squid-3.4+ or at least 3.5. It requires only
the note ACL in squid plus a helper that sends group= response annotations.

It is marked as v4 becasue that is where the first helper with such
support is bundled. You can run that helper with older Squid, for
example by downloading Markus lastest release and building your own helper.


An auth helper which supports it does not needs anything configured by
you. It will "just work" (or not if it lacks annotation support). That
part is just a matter of finding out / ensuring your auth helper
provides the group kv-pairs. The usual command-line tests can probably
show that.

The auth helper by Markus should be producing a set of group=X
annotations automatically, one for each group the user is a member of.
Where the X is what AD calls a "SID" value representing a unique ID for
each group.


After those are received by Squid the note ACL type can be used in
squid.conf to match any of them quickly without an external helper
lookup for the group details. That enables reliable group ACLs anywhere
in squid.conf where they were previously at the mercy of external helper
result timeouts.


In absence of that input from the auth helper, an external_acl_type
helper or *any* helper really :-) can also send the same annotations to
Squid - with the same note ACL config later.

In its current form this is obviously most useful if you know the SID
that group names map to and can configure the note ACL appropriately. I
am hopeful that other helpers may be able to produce named groups or
such. But the values are likely to be specific to whatever the auth
system can provide.


For group lookup and comparison by name (the 'old' way) you can still
use an external helper. As I understand it AD requires two lookups; one
to find the users SID memberships and one to find the group name->SID
mapping for the group(s) being checked - then compare. The first is not
needed if the SID (%note{group}) is passed to the helper instead of
username (%LOGIN).
 This part does require v4, and has not been much tested to see where
the %note format code works for external_acl_type helpers (and where
not). YMMV.

IIRC Markus was waiting on support for %note{group} format code on
external_acl_type config lines. But that happened a long while back now.



> -----Original Message-----
> From: Mike Surcouf
>
> Outputting the groups as KV pairs in AD environments  on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups.
> Is there any docs on how to set this up?
> Even looking at the source I can't seem to work it out.
> I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread.
>
> From what I can see I need to setup a note acl but I am unsure of the key names etc.

Correct. The key name is "group" ;-)


>
> A short example would be great.
>

As far as I am aware it should look like this:

  acl blah note group SID-12345-762576257263
  request_max_size 1 MB blah

Maybe also the -m flag on the ACL definition if recent changes merged
the group notes into a list.

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Amos Jeffries
Administrator
On 16/03/2017 11:12 p.m., Mike Surcouf wrote:

> @Amos
>
> Thanks for this
>
> so to recap if I currently have
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> external_acl_type InternetAccessBanking %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -u ldaps://aesdc02.surcouf.local:636 -b cn=SSSUsers,dc=surcouf,dc=local  -g InternetAccessBanking
>
> I could replace it by
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive
>
> acl InternetAccessBanking note group S-1-5-21-123456789-123456789-123456789-1234
>
>
> Note where S-1-5-21-123456789-123456789-123456789-1234 is the SID for the group InternetAccessBanking
>
>

Yes.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerb auth groups KV note acl config

Mike Surcouf
Ok I see Markus code moved into the main package for 4.
Quick question his code in there seems almost identical to 3.5 (at least on github mirror)
Currently cache is on Centos v6 and I use Eliezer's excellent rpms.

Do you think this will work with squid and squid-helpers 3.5.23?

-----Original Message-----
From: Amos Jeffries [mailto:[hidden email]]
Sent: 16 March 2017 10:54
To: Mike Surcouf; [hidden email]
Subject: Re: [squid-users] kerb auth groups KV note acl config

On 16/03/2017 11:12 p.m., Mike Surcouf wrote:

> @Amos
>
> Thanks for this
>
> so to recap if I currently have
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> external_acl_type InternetAccessBanking %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -u ldaps://aesdc02.surcouf.local:636 -b cn=SSSUsers,dc=surcouf,dc=local  -g InternetAccessBanking
>
> I could replace it by
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive
>
> acl InternetAccessBanking note group S-1-5-21-123456789-123456789-123456789-1234
>
>
> Note where S-1-5-21-123456789-123456789-123456789-1234 is the SID for the group InternetAccessBanking
>
>

Yes.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users