Search squid archive

Re: Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

squid_kerb_auth is not required for squid_kerb_ldap work, but you have to use -g GROUP and provide an ldap URL as squid_kerb_ldap won't be able to "automagically" determine the ldap server.

Regards
Markus

"GIGO ." <gigoz@xxxxxxx> wrote in message news:SNT134-w356B42D425F0504C922352B9B10@xxxxxxxxxx

Hi,

please some more guidance required. Can squid_kerb_ldap be used(alone) independentaly of calling squid_kerb_auth or any other helper??

If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both then is it correct that we are not using the following directives??

acl auth proxy_auth REQUIRED #used
#http_access deny !auth # Not used
#http_access allow auth #not used

as instead ldap based directives of the following form are used...

external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/squid_kerb_ldap -g GROUP@
acl ldap_group_check external squid_kerb_ldap
http_access allow ldap_group_check


thanking you
&
regards,

Bilal








----------------------------------------
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Thu, 1 Jul 2010 21:31:13 +0100
Subject: Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)

Hi

1) 1.2.1a is just a minor patch version to 1.2.1.
2) This happens only when you use the -d debug option
3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL
4) If they have different access needs then that is the only way. If they
have the same access right you can use -g
INETGRLHR1@xxxxxxxxxxxxxxxxxx:INETGRLHR2@xxxxxxxxxxxxxxxxxx:INETGRLHR3@xxxxxxxxxxxxxxxxxx

Regards
Markus

----- Original Message -----
From: "GIGO ."
To: "squidsuperuser2" ; "SquidHelp"

Sent: Thursday, July 01, 2010 11:31 AM
Subject: RE:  Re: Re: Re: squid_kerb_auth (parseNegTokenInit
failed with rc=102)



Dear Markus,

Thank you so much for your help as i diagnosed the problem back to
KRB5_KTNAME not exported properly through my startup script. For the
completion sake and your analysis i have appended the cache.log at the
bottom.

Please i have few queries:


1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation and
which is the latest but is the "a" in 1.2.1(a) means alpha. Can i use this
latest version in the production or i should switch back to 1.2.1.




2. i have just figured out that squid_kerb_ldap gets all the groups for a
user in question even if the first group it find matches. Is this the normal
behaviour?


3. Is there a way to bind to a specific or multiple(chosen) ldap servers
rather than using DNS. (what is the syntax and how)


4. As i have different categories of users so i had defined the following
directives. Is it ok to do this way as it does not look very neet to me and
looks like squid_kerb_ldap being called redundantly.


-------------------------------------Portion of
squid.conf---------------------
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth

#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3@xxxxxxxxxxxxxxxxxx

acl msgroup1 external squid_kerb_ldap_msgroup1
acl msgroup2 external squid_kerb_ldap_msgroup2
acl msgroup3 external squid_kerb_ldap_msgroup3
http_access deny msgroup2 msn
http_access deny msgroup3 msn
http_access deny msgroup2 ym
http_access deny msgroup3 ym
###----Most Restricted settings Exclusive for Normal users......###
http_access deny msgroup3 Movies
http_access deny msgroup3 downloads
http_access deny msgroup3 torrentSeeds
http_access deny all


_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux