L.P.H. van Belle wrote > Try this format : > > > > > > external_acl_type ldap_search ttl=3600 negative_ttl=3600 %LOGIN > /usr/lib/squid/ext_kerberos_ldap_group_acl \ > > -R -b "ou=User,dc=YOUR,dc=DNSDOM,dc=TLD" \ > > -f > "(&(samaccountname=%v)(memberof=cn=%a,ou=Groups,ou=Users,dc=YOUR,dc=DNSDOM,dc=TLD))" > \ > > -D AD-bind-user@YOURREALM \ > > -W /etc/squid/private/ldap-bind \ > > -K \ > > -h addc2.internald.domain.tld \ > > -h addc1.internald.domain.tld > > > > > > And for the kerberos auth. > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \ > > --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > --domain=NTDOMAIN > > > > These should work, they did for me for squid 3.4.8+ > > > > Or ( tested as of 3.5.10 ) > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > HTTP/prxy1.internal.domain.tld@YOURREALM \ > > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego > --domain=NTDOMAIN > > > > Greetz, > > > > I configured as per your instructions. I got some errors that prevent SQUID from starting properly (see cache.log). I double checked my squid.conf but it seems I used the right syntax from the sample you posted. Cache.log, access.log, squid.conf and krb5.conf in this share: http://1drv.ms/1nHDRXH -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675845.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
