Just a question.. You are using debian, i did say.. chmod root:proxy ( proxy is the default squid user in debian ) i see.. chown root:squid /etc/squid3/ldappass.txt try again with chown root:proxy /etc/squid3/ldappass.txt Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > alesironi > Verzonden: maandag 1 februari 2016 14:50 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: ext_ldap_group_acl not working > > > -----Oorspronkelijk bericht----- > > Van: squid-users [mailto:squid-users-bounces@.squid-cache] Namens > > alesironi > > Verzonden: maandag 1 februari 2016 13:28 > > Aan: squid-users@.squid-cache > > Onderwerp: Re: ext_ldap_group_acl not working > > > > Amos Jeffries wrote > > > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote: > > >> > > >> Hello everyone > > >> > > >> I'm a newbie regarding SQUID and in general on Linux. > > >> I have an Active Directory environment (Windows Server 2012 R2) and a > > >> Linux Debian 8 Jessie configured in the same network. > > >> My goal is to install SQUID on Debian, integrate with Active > Directory > > >> using Kerberos and autohise users to use SQUID based on Active > > Directory > > >> asecurity group membership lookup. > > >> Long story short, I followed the instructions here > > >> > > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox > > y#Configure_Squid > > >> > > >> > > >> My test environment: > > >> Active Directory domain: KIDANEMEHRET.LOCAL > > >> test user: KIDANEMEHRET\test-full > > >> Security groups which is member of: "Internet Users Full", "Internet > > >> Users Standard" > > >> > > >> Test done > > >> After having properly configured my test client (Windows 7 joined to > > the > > >> domain), logged on with the test user KIDANEMEHRET\test-full, > > configured > > >> internet explorer to use the proxy, what I get everytime I try to > > browse > > >> the internet is a SQUID page telling me Access Denied. > > >> > > >> Quick Analisys > > >> Having a look at access.log and cache.log (see attached), I > understand > > >> that user is properly authenticated (I see KIDANEMEHRET\test-full > > >> properly written in each log). > > >> For this reason I suspect the problem is in the authorisation part. > > >> > > >> I try then to run from terminal the program used in SQUID.CONF to > check > > >> authorisation (based on the wiki too); note that I'm running with > sudo > > >> otherwise with standard use I get no access to password file: > > >> > > > > > > You need to ensure this test is run as the Squid low-privilege user > > > account. Not as root via sudo. If the access to passwords file is also > > > not working for Squids low-priv user account that could be the > problem. > > > > > >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > > >> "dc=kidanemehret,dc=local" -D > > > > > squid@ > > > > > -W /etc/squid3/ldappass.txt -f > > "(&(objectclass=person)(sAMAccountName=%v) > > > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" > - > > h > > > domcon.kidanemehret.local test-full Internet%20Users%20Full > > >> Do not get any result: waiting for minutes... > > >> > > > > > > Add the -d option for debug output about what the helper is doing > during > > > those minutes. > > > > > > Amos > > > > > > _______________________________________________ > > > squid-users mailing list > > > > > squid-users@.squid-cache > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > That's exactly the problem: if I run the test with normal (i.e.: no > sudo), > > I > > get > > ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt > > I imagine I have to modify the security on that file, but how? Sorry for > > the > > dumb question.... > > > > > > > > > > > > > > -- > > View this message in context: http://squid-web-proxy- > > cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working- > > tp4675816p4675822.html > > Sent from the Squid - Users mailing list archive at Nabble.com. > > _______________________________________________ > > squid-users mailing list > > squid-users@.squid-cache > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users > > > > Ok, let me recap my tests > > - I followed all suggestions from Luis: > > /etc/default/Squid3 (not /etc/default/squid.... ) was already there with > the > right content. I renamed to /etc/default/squid* (please confirm if I did > properly) > *chown root:squid /etc/squid3/ldappass.txt (and also PROXY.Keytab) > chmod 440 /etc/squid3/ldappass.txt (and also PROXY.Keytab) > modified KRB5.conf commenting "default_keytab_name = > /etc/squid3/PROXY.keytab" > > - I then added -d and run the following commandline > > /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" > -D [hidden email] -W /etc/squid3/ldappass.txt -f > "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service > Accounts,ou=USR,dc=kidanemehret,dc=local))" -d -h > domcon.kidanemehret.local > test-full Internet%20Users%20Full > > Get the following error: Can not Read Secret File /etc/squid3/ldappass.txt > > - run the following (basically putting password in clear bypassing the > password file) > > /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" > -D > [hidden email] -w mypassword -f "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" 'd > -h > domcon.kidanemehret.local -d test-full Internet%20Users%20Full > > get the following error: > ext_ldap_group_acl.cc(478): pid=1778 :Internet%20Users%20Full: Invalid > Request: NO Username given > ERR Invalid Request. No Username > > > > > > > > -- > View this message in context: http://squid-web-proxy- > cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working- > tp4675816p4675824.html > Sent from the Squid - Users mailing list archive at Nabble.com. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
