Hello!
I found trouble in "squid version 3.5.0.4 and 3.5.1". If user account have space in login (sAMAccountName), the check doesn't pass successful.
=================================================================================
Config file for NTLM authentication:
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=OFFICE
auth_param ntlm children 100 startup=25 idle=1
auth_param ntlm keep_alive on
external_acl_type memberof children-max=200 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=office,dc=***,dc=corp" -D squidreader@office.***.corp -w ***** -f
"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))" -H ldap://DC2.office.***.corp -Z -d
cache.log for NTLM authentication:
Got NTLMSSP neg_flags=0xa2088207
Got user=[qqq qqq] domain=[OFFICE] workstation=[TERMINAL8] len1=24 len2=24
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xa2088205
ext_ldap_group_acl.cc(579): pid=45705 :Connected OK
ext_ldap_group_acl.cc(718): pid=45705 :group filter '(&(objectclass=person)(sAMAccountName=qqq)(memberof=cn=Proxy-access-enable-full,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,
dc=corp))', searchbase 'dc=office,dc=***,dc=corp'
In NTLM authentication I see full name:
Got user=[qqq qqq] domain=[OFFICE] workstation=[TERMINAL8] len1=24 len2=24
But in ext_ldap_group_acl I see shortened name:
(sAMAccountName=qqq)
and I get message "access denied".
=================================================================================
Config file for Kerberous authentication:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.office.***.corp@OFFICE.***.CORP -i
auth_param negotiate children 200 startup=10 idle=1
auth_param negotiate keep_alive on
external_acl_type memberof children-max=200 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=office,dc=***,dc=corp" -D squidreader@office.***.corp -w ***** -f
"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))" -H ldap://DC.office.***.corp -Z -d
cache.log for Kerberous authentication:
2015/01/19 12:19:26| negotiate_kerberos_auth: INFO: User Steven%20Paul%20Jobs@OFFICE.***.CORP authenticated
ext_ldap_group_acl.cc(579): pid=46221 :Connected OK
ext_ldap_group_acl.cc(718): pid=46221 :group filter '(&(objectclass=person)(sAMAccountName=Steven)(memberof=cn=Proxy-access-enable-full,ou=internet,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))', searchbase 'dc=office,dc=***,dc=corp'
In Kerberous authentication I see full name:
User Steven%20Paul%20Jobs@OFFICE.***.CORP authenticated
But in ext_ldap_group_acl I see shortened name:
(sAMAccountName=Steven)
and I get message "access denied".
=================================================================================
Also I tried to add/delete in command "external_acl_type" the parameter "protocol" but it doesn't help.
protocol=3.0
protocol=2.5
=================================================================================
What to do? How this can be fixed?
Best regards,
Misha!
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
