Re: benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

> "Amos Jeffries"  wrote in message news:54BE53B2.9070200@xxxxxxxxxxxxx...
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 21/01/2015 1:38 a.m., Simon Staeheli wrote:
> > > Whatever floats your boat. The point of the Addon/Plugin/helpers
> > > API is that you can use scripts if thy serve your needs better.
> > >
> > > All the usual Open Source benefits of "many eyeballs" and
> > > somebody else doing code maintenance for you applies to using a
> > > bundled helper over a custom written one.
> > >
> > > Beyond that the kerberos helper also provides automatic detection
> > > of which LDAP server to use via mutiple auto-configuration
> > > methods.
> > >
> > > If you can demonstrate that the ext_kerberos_ldap_group_acl does
> > > provides a superset of the functionality of ext_ldap_group_acl
> > > helper then I can de-duplicate the two helpers.
> > >
> > > Amos
> >
> > Thanks for the hint regarding automatic detection of LDAP servers.
> > I am just trying to find what the differences between the two
> > helpers are and which one does fit my needs better. Any others?
>
> Nothing I can pick out easily.
>
> > Do you know anything about the feature in
> > ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
> > earlier post?
> >
> > "I have a new method in my squid 3.4 patch which uses the Group
> > Information MS is putting in the ticket. This would eliminate the
> > ldap lookup completely."
> > (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)
> I think that refers to a work in progress. Markus maintains the
> un-bundled version of his helpers a little in advance of what has made
> it into the Squid stable branch. Some of what is available in his
> helper downloads is only in the Squid-3.HEAD alpha development code so
> far.
>
> I am working on obsoleting the need for external group helpers. From
> 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
> response. Those can be used with the note ACL type to check group
> names without any external_acl_type helper lookup (making group checks
> possible in 'fast' access controls).
>
> Markus joined me in this project and his latest kerberos auth helper
> (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
> group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
> ID format MS uses. The external_acl_type helper interface cannot yet
> be passed notes to decipher that to a known group name.

The Kerberos authentication helper extracts the Microsoft authorisation data 
from the Kerberos ticket. This so called  PAC data contains the AD Security 
Groups a user belongs too ( even over a forest/domain as far as I recall and 
nested groups).   The format of the authorisation data is the AD objectsid 
which the helper returns in base64  encoding.  So now instead of querying 
LDAP an external helper just need to compare the base64 encoded SID with a 
predefined SID.  You just have to know the SID when you setup the 
configuration in the same way as you have to know the AD group name with an 
ldap helper.

> From a Unix system you can easily get the object sid if you know the 
groupname. e.g.

# kinit markus@xxxxxxxxxxxxxx
# ldapsearch -LLL -H ldap://w2k3r2.win2003r2.home -s sub -b 
DC=WIN2003R2,DC=HOME "(CN=SOCKS_ALLOW)" objectsid
SASL/GSSAPI authentication started
SASL username: markus@xxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
dn: CN=SOCKS_ALLOW,OU=Groups,DC=win2003r2,DC=home
objectSid:: AQUAAAAAAAUVAAAAploCbWTufUFPWoiaiwQAAA==

Any ldap browser like ldapadmin can also show the objectsid.

I have also a tool which I can provide to convert a SID into a base64 value

Examples:

# ./convert_sid S-1-5-21-1828870822-1098772068-2592627279-1163
base64 encoded: AQUAAAAAAAUVAAAAploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00
SID: S-1-5-21-1828870822-1098772068-2592627279-1163

# ./convert_sid AQUAAAAAAAUVAAAAploCbWTufUFPWoiaiwQAAA==
base64 encoded: AQUAAAAAAAUVAAAAploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00
SID: S-1-5-21-1828870822-1098772068-2592627279-1163

# ./convert_sid 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 
4f 5a 88 9a 8b 04 00 00
base64 encoded: AQUAAAAAAAUVAAAAploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00
SID: S-1-5-21-1828870822-1098772068-2592627279-1163


Please let me know if you have questions, comments or ideas

Regards
Markus


> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUvlOyAAoJELJo5wb/XPRjZskH/3VQdCv4juTHZ0QAOyQvCdLP
> L1ZRDF/ix4MkVIsblsPL20G1KznKRbDBdDZ+DWM4lHDp7m1rwXD972GUmI7JZQDV
> VvjQVMrXfZ3h8VcwpzPXKKiIOJp3+P5e7XpVDQGYAzOBJjnvs2OsIKGGsGwo4kXE
> lElRU9WbspurY4ic07hjSCcM3VAdWMtIy8FVoq2bdegH6qor1dGeoVIMYVnSOBUG
> 9gTqWBYxkltI5S19f6zWjk2Kscn7ZYWvPezN38NHouL4ueM0rAHxvUNP2ueudUwR
> tZBavBNpiCJ08dXbhU1nUivyTQX99w8t0VMmYeomTc2Q7znofsX0FefFRFZ1GcY=
> =Yg6k
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users