Search squid archive

Re: ext_user ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09.02.2012 07:46, Wladner Klimach wrote:

Hello,

I'm trying to use ext_user type of ACL but for some reason it isn't
matching. Look at my cache.log message with debug_options set up:

 ACL::ChecklistMatches: result for 'restrictedDomains' is 1
2012/02/08 16:24:40.553| ACLList::matches: result is true
2012/02/08 16:24:40.553| ACLList::matches: checking restrictUsers
2012/02/08 16:24:40.553| ACL::checklistMatches: checking 'restrictUsers' 
2012/02/08 16:24:40.553| ACL::ChecklistMatches: result for
'restrictUsers' is -1
2012/02/08 16:24:40.553| ACLList::matches: result is false
2012/02/08 16:24:40.553| aclmatchAclList: 0x7f491617bab8 returning
false (AND list entry failed to match)

I using this because I need to group autheticated users in order to
create ACLs to restrict this groups. I've used proxy_auth instead of
ext_user and worked out but I don't know if this is apropriate in
terms of performance, isn't it? Here is my squid.conf:




# KERBEROS - Integracao completa com AD
auth_param negotiate program

/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
 -s HTTP/trotsky.redecamara.camara.gov.br
auth_param negotiate children 10
auth_param negotiate keep_alive on

# ACLs externas para buscar grupo baseado em Kerberos.
external_acl_type squid_kerb_ldap  ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap   -S
californio.redecamara.camara.gov.br  -g
Internet@xxxxxxxxxxxxxxxxxxxxxxxx


<snips>

acl restrictUsers  ext_user P_7501@xxxxxxxxxxxxxxxxxxxxxxxx
acl restrictedDomains url_regex -i "/etc/squid/InstantMessenger"
http_access deny restrictedDomains restrictUsers
http_access allow ldap_group_check
http_access deny all
To check proxy_auth and ext_user values are the same speed (text comparison). BUT, ext_user requires external ACL helper to be run to produce the value, AND authentication helper to be run to produce the %LOGIN input value. Which could be slower overall. 

Also each have different security properties:
proxy_auth is the logged in username, validated by the authentication backend ext_user is just a user name (note the space between words) label produced by the external helper, it is not necessarily the logged in user or even related to that user.
It is not working because squid_kerb_ldap does not output the user name label for use by ext_user. Just a OK/ERR result whether the user passed *in* is a member of the groups passed in. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux