Search squid archive

Re: ext_ldap_group_acl not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
> 
> Hello everyone 
> 
> I'm a newbie regarding SQUID and in general on Linux. 
> I have an Active Directory environment (Windows Server 2012 R2) and a Linux Debian 8 Jessie configured in the same network. 
> My goal is to install SQUID on Debian, integrate with Active Directory using Kerberos and autohise users to use SQUID based on Active Directory asecurity group membership lookup. 
> Long story short, I followed the instructions here 
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid
> 
> 
> My test environment:
> Active Directory domain: KIDANEMEHRET.LOCAL 
> test user: KIDANEMEHRET\test-full 
> Security groups which is member of: "Internet Users Full", "Internet Users Standard" 
> 
> Test done
> After having  properly configured my test client (Windows 7 joined to the domain), logged on with the test user KIDANEMEHRET\test-full, configured internet explorer to use the proxy, what I get everytime I try to browse the internet is a SQUID page telling me Access Denied. 
> 
> Quick Analisys
> Having a look at access.log and cache.log (see attached), I understand that user is properly authenticated (I see KIDANEMEHRET\test-full properly written in each log). 
> For this reason I suspect the problem is in the authorisation part. 
> 
> I try then to run from terminal the program used in SQUID.CONF to check authorisation (based on the wiki too); note that I'm running with sudo otherwise with standard use I get no access to password file: 
> 

You need to ensure this test is run as the Squid low-privilege user
account. Not as root via sudo. If the access to passwords file is also
not working for Squids low-priv user account that could be the problem.

> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D squid@kidanemehret.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local test-full Internet%20Users%20Full 
> Do not get any result: waiting for minutes... 
> 

Add the -d option for debug output about what the helper is doing during
those minutes.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux