Hi I run squid with the named debug-options. The "cache.log"-output seems a little bit complicated. So the only way I see, is to have a remarked native ldap-authentication-configuration, which I can enable, if the kerberos-mechanism fails. Or does somebody has such a config (kerberos with squid_kerb_ldap to get ad-groups AND squid_ldap_auth with a memberOf-filter) running? Thanks a lot. Regards, Tom 2010/8/11 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Tom Tux wrote: >> >> Hi Amos >> >> Thanks a lot for this explanation. Both configurations seperately - >> native kerberos and native ldap - are working fine. But in >> combination, there is still one problem. >> >> Here is my actual configuration (combined two mechanism) again: >> >> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i >> auth_param negotiate children 50 >> auth_param negotiate keep_alive on >> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers" >> acl INTERNET_ACCESS external SQUID_KERB_LDAP >> >> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600 >> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g >> "DenyInternetUsers" >> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP >> >> # LDAP-Fallback >> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R >> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f >> >> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))" >> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx >> auth_param basic children 20 >> auth_param basic realm "Internet Access" >> auth_param basic credentialsttl 2 hour >> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED src 0.0.0.0 > > The "src" and "0.0.0.0" usernames (yes *usernames*) should be ignored by > Squid. > >> >> >> And here the relevant part of the http_access-directives: >> http_access deny DENY_INTERNET_ACCESS >> http_access deny !INTERNET_ACCESS >> http_access deny !INTERNET_ACCESS_LDAP >> http_access allow INTERNET_ACCESS >> http_access allow INTERNET_ACCESS_LDAP >> http_access deny all >> >> With this configuration, I'm able to access with kerberos, but never >> with ldap. I always got a "access denied". What directives do I have >> to change/add, to get both accesses (kerberos & ldap)? > > Run Squid with "debug_options 82,3 28,3" to check which ACLs are matching > and which denying. > > I notice the !INTERNET_ACCESS is required to pass before anything is > allowed. It could be that your Basic protocol credentials are not being > accepted by the Negotiate/Kerberos protocol group helper and inverting into > a deny. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.6 > Beta testers wanted for 3.2.0.1 >
