Amos Jeffries wrote > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote: >> >> Hello everyone >> >> I'm a newbie regarding SQUID and in general on Linux. >> I have an Active Directory environment (Windows Server 2012 R2) and a >> Linux Debian 8 Jessie configured in the same network. >> My goal is to install SQUID on Debian, integrate with Active Directory >> using Kerberos and autohise users to use SQUID based on Active Directory >> asecurity group membership lookup. >> Long story short, I followed the instructions here >> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid >> >> >> My test environment: >> Active Directory domain: KIDANEMEHRET.LOCAL >> test user: KIDANEMEHRET\test-full >> Security groups which is member of: "Internet Users Full", "Internet >> Users Standard" >> >> Test done >> After having properly configured my test client (Windows 7 joined to the >> domain), logged on with the test user KIDANEMEHRET\test-full, configured >> internet explorer to use the proxy, what I get everytime I try to browse >> the internet is a SQUID page telling me Access Denied. >> >> Quick Analisys >> Having a look at access.log and cache.log (see attached), I understand >> that user is properly authenticated (I see KIDANEMEHRET\test-full >> properly written in each log). >> For this reason I suspect the problem is in the authorisation part. >> >> I try then to run from terminal the program used in SQUID.CONF to check >> authorisation (based on the wiki too); note that I'm running with sudo >> otherwise with standard use I get no access to password file: >> > > You need to ensure this test is run as the Squid low-privilege user > account. Not as root via sudo. If the access to passwords file is also > not working for Squids low-priv user account that could be the problem. > >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b >> "dc=kidanemehret,dc=local" -D > squid@ > -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h > domcon.kidanemehret.local test-full Internet%20Users%20Full >> Do not get any result: waiting for minutes... >> > > Add the -d option for debug output about what the helper is doing during > those minutes. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users That's exactly the problem: if I run the test with normal (i.e.: no sudo), I get ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt I imagine I have to modify the security on that file, but how? Sorry for the dumb question.... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675822.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
