Hi, please some more guidance required. Can squid_kerb_ldap be used(alone) independentaly of calling squid_kerb_auth or any other helper?? If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both then is it correct that we are not using the following directives?? acl auth proxy_auth REQUIRED #used #http_access deny !auth # Not used #http_access allow auth #not used as instead ldap based directives of the following form are used... external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@ acl ldap_group_check external squid_kerb_ldap http_access allow ldap_group_check thanking you & regards, Bilal ---------------------------------------- > To: squid-users@xxxxxxxxxxxxxxx > From: huaraz@xxxxxxxxxxxxxxxx > Date: Thu, 1 Jul 2010 21:31:13 +0100 > Subject: Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) > > Hi > > 1) 1.2.1a is just a minor patch version to 1.2.1. > 2) This happens only when you use the -d debug option > 3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL > 4) If they have different access needs then that is the only way. If they > have the same access right you can use -g > INETGRLHR1@xxxxxxxxxxxxxxxxxx:INETGRLHR2@xxxxxxxxxxxxxxxxxx:INETGRLHR3@xxxxxxxxxxxxxxxxxx > > Regards > Markus > > ----- Original Message ----- > From: "GIGO ." > To: "squidsuperuser2" ; "SquidHelp" > > Sent: Thursday, July 01, 2010 11:31 AM > Subject: RE: Re: Re: Re: squid_kerb_auth (parseNegTokenInit > failed with rc=102) > > > > Dear Markus, > > Thank you so much for your help as i diagnosed the problem back to > KRB5_KTNAME not exported properly through my startup script. For the > completion sake and your analysis i have appended the cache.log at the > bottom. > > Please i have few queries: > > > 1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation and > which is the latest but is the "a" in 1.2.1(a) means alpha. Can i use this > latest version in the production or i should switch back to 1.2.1. > > > > > 2. i have just figured out that squid_kerb_ldap gets all the groups for a > user in question even if the first group it find matches. Is this the normal > behaviour? > > > 3. Is there a way to bind to a specific or multiple(chosen) ldap servers > rather than using DNS. (what is the syntax and how) > > > 4. As i have different categories of users so i had defined the following > directives. Is it ok to do this way as it does not look very neet to me and > looks like squid_kerb_ldap being called redundantly. > > > -------------------------------------Portion of > squid.conf--------------------- > auth_param negotiate program > /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth > auth_param negotiate children 10 > auth_param negotiate keep_alive on > # basic auth ACL controls to make use of it are.(if and only if > squid_kerb_ldap(authorization) is not used) > #acl auth proxy_auth REQUIRED > #http_access deny !auth > #http_access allow auth > > #Groups fom Mailserver Domain: > external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 > %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1@xxxxxxxxxxxxxxxxxx > external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 > %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2@xxxxxxxxxxxxxxxxxx > external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 > %LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3@xxxxxxxxxxxxxxxxxx > > acl msgroup1 external squid_kerb_ldap_msgroup1 > acl msgroup2 external squid_kerb_ldap_msgroup2 > acl msgroup3 external squid_kerb_ldap_msgroup3 > http_access deny msgroup2 msn > http_access deny msgroup3 msn > http_access deny msgroup2 ym > http_access deny msgroup3 ym > ###----Most Restricted settings Exclusive for Normal users......### > http_access deny msgroup3 Movies > http_access deny msgroup3 downloads > http_access deny msgroup3 torrentSeeds > http_access deny all > > _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
