Re: Squid and AD Group (ext_ldap_group_acl)

Olivier CALVANO <o.calvano@xxxxxxxxx> · Mon, 8 Feb 2016 11:21:49 +0100

hum in logs:

ext_ldap_group_acl.cc(587): pid=12990 :Connected OK
ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=ocalvano,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr'
ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr'

ext_ldap_group_acl.cc(587): pid=12990 :Connected OK
ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Guest,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr'
ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr'

user ocalvano is in group Internet-Access but not Guest, and the log says "Ok"
(or it's only ldap connection ?)

2016-02-08 11:06 GMT+01:00 Olivier CALVANO <o.calvano@xxxxxxxxx>:
Hi Amos,

Thanks for your help,

buit if i don't put the line http_access deny !Group_Allowed, user not in the group connect connect
and access to all internet

my config:

######################################################################
# ACL pour les Droits d'accès d'apres l'Active Directory
######################################################################
acl Authentification proxy_auth REQUIRED
http_access deny !Authentification
acl Group_Allowed external AD_Group Internet-Access
http_access allow Group_Allowed
#http_access deny !Group_Allowed
######################################################################

#always_direct deny Authentification
http_access allow Lan
http_access deny all

i see that i have a 

http_access allow Lan

it's not this the problems ?

2016-02-07 11:44 GMT+01:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 7/02/2016 9:39 p.m., Olivier CALVANO wrote:

> Hi

>

> i have a problems with AD Group, i use this config:

>

>

> external_acl_type AD_Group children-startup=5 children-max=100

> concurrency=80 ttl=1800 negative_ttl=900 %LOGIN

> /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D

> cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f

> (&(objectclass=person)

> (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h

> 192.168.10.1

>

>

> acl Group_Allowed external AD_Group Internet-Access

> http_access allow Group_Allowed

> http_access deny !Group_Allowed

>

>

> When i want use the proxy, squid request all time the Login/pass

To check group membership, Squid must first know what user login

credentialsare being checked.

>

> if i change config:

>

> http_access allow Group_Allowed

> http_access deny !Group_Allowed

As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it

is used on any line and login is not yet provided, or do 407

re-authentication whenever it is last ACL named on a deny line. In order

to give the user the chance to provide credentials that will pass the test.

In this particular config setup use "deny all" instead of "deny

!Group_Allowed".

Amos

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users