external_acl_type + ldap-auth

Riaan Nolan <riaan@xxxxxxxxxxxxxx> · Fri, 16 Jul 2010 11:36:53 +0200

Hallo Squid users, I'm having a problem, that I cannot solve :/

I am authenticating users against Active Directory via squid_ldap_auth
(Which Works GREAT!)

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=domain,dc=co,dc=za" -D "cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w
"******" -f "sAMAccountName=%s" -h 192.168.0.1
auth_param basic children 5
auth_param basic realm Active Directory Password Required
auth_param basic credentialsttl 3600 seconds

TEST:squid_ldap_auth
# /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"sAMAccountName=%s" -h 192.168.0.1
username ******
OK

Now, I'd like to setup delay_pools and this is where my problem starts,
I ALWAYS get, in cache.log

2010/07/16 11:11:52.551| basic/auth_basic.cc(246)
authenticateBasicHandleReply: {OK}
2010/07/16 11:11:52.551| ACL::ChecklistMatches: result for 'fast' is -1
2010/07/16 11:11:52.581| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.582| ACL::ChecklistMatches: result for 'fast' is 0
2010/07/16 11:11:52.582| ACL::ChecklistMatches: result for 'medium' is -1
2010/07/16 11:11:52.593| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.593| ACL::ChecklistMatches: result for 'medium' is 0
2010/07/16 11:11:52.593| ACL::ChecklistMatches: result for 'slow' is -1
2010/07/16 11:11:52.619| externalAclHandleReply: reply="ERR"
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'slow' is 0
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'slow' is 0
2010/07/16 11:11:52.620| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'medium' is 0
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'fast' is 0
2010/07/16 11:11:52.621| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'all' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'manager' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'manager' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for 'CONNECT' is 0
2010/07/16 11:11:52.663| ACL::ChecklistMatches: result for
'to_localhost' is 0
2010/07/16 11:11:58.643| ACL::ChecklistMatches: result for
'to_localhost' is 0
2010/07/16 11:11:58.643| ACL::ChecklistMatches: result for 'localhost' is 0
2010/07/16 11:11:58.644| ACL::ChecklistMatches: result for 'fast' is 0

TEST:squid_ldap_group
# /usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 1
username fast
OK

my relevant Squid.conf parts is:

##### snip #####
# Authentication Method
# Using LDAP Active Directory
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=domain,dc=co,dc=za" -D "cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w
"******" -f "sAMAccountName=%s" -h 192.168.0.1
# TO TEST
# /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"sAMAccountName=%s" -h 192.168.0.1
# ENTER
# usename password
# SHOULD RETURN OK
auth_param basic children 5
auth_param basic realm Active Directory Password Required
auth_param basic credentialsttl 3600 seconds

# Apprentice - Many Restrictions
# Lexicanium .. Group to be Announced
# Codicier - Some Restrictions
# Epistolary .. Group to be Announced
# Chief Librarian - No Restrictions
external_acl_type chief_librarian negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
external_acl_type codicier negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
external_acl_type apprentice negative_ttl=1 ttl=60 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
# TO TEST
# /usr/lib/squid/squid_ldap_group -R -b "dc=domain,dc=co,dc=za" -D
"cn=ldap,cn=Users,dc=domain,dc=co,dc=za" -w "******" -f
"(&(cn=%a)(member=%v)(objectClass=group))" -F
"(|(samAccountName=%s)(cn=%s))" -h 192.168.0.1
# ENTER
# usename group e.g username chief_librarian
# SHOULD RETURN OK

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl ldap-auth proxy_auth REQUIRED    # Auth via Active Directory
acl fast external chief_librarian Fast
acl medium external codicier Medium
acl slow external apprentice Slow

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow fast
http_access allow medium
http_access allow slow
http_access allow ldap-auth

# And finally deny all other access to this proxy
http_access deny all

# Delay Pools
delay_pools 3

# Classes of our Pools
delay_class 1 3
delay_class 2 3
delay_class 3 3

# ACLs relevant to our Pools
delay_access 1 allow slow
delay_access 1 deny all
delay_access 2 allow medium
delay_access 2 deny all
delay_access 3 allow fast
delay_access 3 deny all

# Parameters of our Pools (Bandwidth)
delay_parameters 1 8000/8000 4000/4000 2000/2000
delay_parameters 2 8000/8000 4000/4000 2000/2000
delay_parameters 3 8000/8000 4000/4000 2000/2000

# Debugging Options
debug_options ALL,1 28,9 29,9 33,9 58,9 82,9

##### snip #####

If anyone can point me into some direction, I've read mostly all I
could, I just don't know wht the helper is returning ERR :/

Thanks in advance
Riaan Nolan

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.