Hi
squid_kerb_auth is not required for squid_kerb_ldap work, but you have to
use -g GROUP and provide an ldap URL as squid_kerb_ldap won't be able to
"automagically" determine the ldap server.
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w356B42D425F0504C922352B9B10@xxxxxxxxxx
Hi,
please some more guidance required. Can squid_kerb_ldap be used(alone)
independentaly of calling squid_kerb_auth or any other helper??
If and only if it is must to use squid_kerb_auth & squid_kerb_ldap both then
is it correct that we are not using the following directives??
acl auth proxy_auth REQUIRED #used
#http_access deny !auth # Not used
#http_access allow auth #not used
as instead ldap based directives of the following form are used...
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
/usr/sbin/squid_kerb_ldap -g GROUP@
acl ldap_group_check external squid_kerb_ldap
http_access allow ldap_group_check
thanking you
&
regards,
Bilal
----------------------------------------
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Thu, 1 Jul 2010 21:31:13 +0100
Subject: Re: Re: Re: squid_kerb_auth (parseNegTokenInit
failed with rc=102)
Hi
1) 1.2.1a is just a minor patch version to 1.2.1.
2) This happens only when you use the -d debug option
3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL
4) If they have different access needs then that is the only way. If they
have the same access right you can use -g
INETGRLHR1@xxxxxxxxxxxxxxxxxx:INETGRLHR2@xxxxxxxxxxxxxxxxxx:INETGRLHR3@xxxxxxxxxxxxxxxxxx
Regards
Markus
----- Original Message -----
From: "GIGO ."
To: "squidsuperuser2" ; "SquidHelp"
Sent: Thursday, July 01, 2010 11:31 AM
Subject: RE: Re: Re: Re: squid_kerb_auth (parseNegTokenInit
failed with rc=102)
Dear Markus,
Thank you so much for your help as i diagnosed the problem back to
KRB5_KTNAME not exported properly through my startup script. For the
completion sake and your analysis i have appended the cache.log at the
bottom.
Please i have few queries:
1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation
and
which is the latest but is the "a" in 1.2.1(a) means alpha. Can i use this
latest version in the production or i should switch back to 1.2.1.
2. i have just figured out that squid_kerb_ldap gets all the groups for a
user in question even if the first group it find matches. Is this the
normal
behaviour?
3. Is there a way to bind to a specific or multiple(chosen) ldap servers
rather than using DNS. (what is the syntax and how)
4. As i have different categories of users so i had defined the following
directives. Is it ok to do this way as it does not look very neet to me
and
looks like squid_kerb_ldap being called redundantly.
-------------------------------------Portion of
squid.conf---------------------
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR1@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR2@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g INETGRLHR3@xxxxxxxxxxxxxxxxxx
acl msgroup1 external squid_kerb_ldap_msgroup1
acl msgroup2 external squid_kerb_ldap_msgroup2
acl msgroup3 external squid_kerb_ldap_msgroup3
http_access deny msgroup2 msn
http_access deny msgroup3 msn
http_access deny msgroup2 ym
http_access deny msgroup3 ym
###----Most Restricted settings Exclusive for Normal users......###
http_access deny msgroup3 Movies
http_access deny msgroup3 downloads
http_access deny msgroup3 torrentSeeds
http_access deny all
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
