> -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@.squid-cache] Namens > alesironi > Verzonden: maandag 1 februari 2016 13:28 > Aan: squid-users@.squid-cache > Onderwerp: Re: ext_ldap_group_acl not working > > Amos Jeffries wrote > > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote: > >> > >> Hello everyone > >> > >> I'm a newbie regarding SQUID and in general on Linux. > >> I have an Active Directory environment (Windows Server 2012 R2) and a > >> Linux Debian 8 Jessie configured in the same network. > >> My goal is to install SQUID on Debian, integrate with Active Directory > >> using Kerberos and autohise users to use SQUID based on Active > Directory > >> asecurity group membership lookup. > >> Long story short, I followed the instructions here > >> > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox > y#Configure_Squid > >> > >> > >> My test environment: > >> Active Directory domain: KIDANEMEHRET.LOCAL > >> test user: KIDANEMEHRET\test-full > >> Security groups which is member of: "Internet Users Full", "Internet > >> Users Standard" > >> > >> Test done > >> After having properly configured my test client (Windows 7 joined to > the > >> domain), logged on with the test user KIDANEMEHRET\test-full, > configured > >> internet explorer to use the proxy, what I get everytime I try to > browse > >> the internet is a SQUID page telling me Access Denied. > >> > >> Quick Analisys > >> Having a look at access.log and cache.log (see attached), I understand > >> that user is properly authenticated (I see KIDANEMEHRET\test-full > >> properly written in each log). > >> For this reason I suspect the problem is in the authorisation part. > >> > >> I try then to run from terminal the program used in SQUID.CONF to check > >> authorisation (based on the wiki too); note that I'm running with sudo > >> otherwise with standard use I get no access to password file: > >> > > > > You need to ensure this test is run as the Squid low-privilege user > > account. Not as root via sudo. If the access to passwords file is also > > not working for Squids low-priv user account that could be the problem. > > > >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > >> "dc=kidanemehret,dc=local" -D > > > squid@ > > > -W /etc/squid3/ldappass.txt -f > "(&(objectclass=person)(sAMAccountName=%v) > > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" - > h > > domcon.kidanemehret.local test-full Internet%20Users%20Full > >> Do not get any result: waiting for minutes... > >> > > > > Add the -d option for debug output about what the helper is doing during > > those minutes. > > > > Amos > > > > _______________________________________________ > > squid-users mailing list > > > squid-users@.squid-cache > > > http://lists.squid-cache.org/listinfo/squid-users > > That's exactly the problem: if I run the test with normal (i.e.: no sudo), > I > get > ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt > I imagine I have to modify the security on that file, but how? Sorry for > the > dumb question.... > > > > > > > -- > View this message in context: http://squid-web-proxy- > cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working- > tp4675816p4675822.html > Sent from the Squid - Users mailing list archive at Nabble.com. > _______________________________________________ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@.squid-cache http://lists.squid-cache.org/listinfo/squid-users Ok, let me recap my tests - I followed all suggestions from Luis: /etc/default/Squid3 (not /etc/default/squid.... ) was already there with the right content. I renamed to /etc/default/squid* (please confirm if I did properly) *chown root:squid /etc/squid3/ldappass.txt (and also PROXY.Keytab) chmod 440 /etc/squid3/ldappass.txt (and also PROXY.Keytab) modified KRB5.conf commenting "default_keytab_name = /etc/squid3/PROXY.keytab" - I then added -d and run the following commandline /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D [hidden email] -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -d -h domcon.kidanemehret.local test-full Internet%20Users%20Full Get the following error: Can not Read Secret File /etc/squid3/ldappass.txt - run the following (basically putting password in clear bypassing the password file) /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D [hidden email] -w mypassword -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" 'd -h domcon.kidanemehret.local -d test-full Internet%20Users%20Full get the following error: ext_ldap_group_acl.cc(478): pid=1778 :Internet%20Users%20Full: Invalid Request: NO Username given ERR Invalid Request. No Username -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675824.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users