External ACL Lookup

["Craddock, Tommy" <Tommy.Craddock@xxxxxxxxxxxxxx>]

Hello,

Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD.  I can test from the command line:

 

 

/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com

tcraddock@xxxxxxxxxxx Full.Access

OK

 

 

In the cache.log w/debug set to ALL,3:

 

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)

GETTING KERB TOKEN…..

…

2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcraddock@xxxxxxxxxxx' has been seen at a new IP address (172.23.5.193:56059)

2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcraddock@xxxxxxxxxxx Full.Access") = lookup needed

2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": entry=@0, age=0

2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": queueing a call.

2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": return -1.

2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcraddock@xxxxxxxxxxx Full.Access'

2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"

2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcraddock@xxxxxxxxxxx Full.Access' = 0

2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0

 

In the file referenced in the ACLs:

 

acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"

acl FullAccess          external memberof "/etc/squid/full_access.txt"

 

 

it has:

 

cat /etc/squid/full_access.txt

Full.Access

 

cat /etc/squid/restricted_access.txt

Restricted.Access

 

Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK.

 

 

Info about my setup:

 

[root@clwslprox01p squid]# squid -v

Squid Cache: Version 3.1.23

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23

 

[root@clwslprox01p squid]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 6.7 (Santiago)

 

Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD.  Windows AD is 2008 and 2012 in my env. 

 

Squid.conf:

 

 

### cache manager

cache_mgr pclan@xxxxxxxxxxx

 

#Define the cache_peer to be used

# cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest

# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest

  cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest

# cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest

# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest

 

 

### negotiate kerberos and ntlm authentication

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access –kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME

auth_param negotiate children 10

auth_param negotiate keep_alive off

 

### pure ntlm authentication

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access

auth_param ntlm children 30

auth_param ntlm keep_alive off

 

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm

auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM

auth_param basic children 10

auth_param basic realm Internet Proxy

auth_param basic credentialsttl 1 minute

 

### ldap authorisation

external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM

 

### acl for proxy auth and ldap authorizations

acl our_networks src  172.16.0.0/12 10.0.0.0/8 192.170.0.0/24

acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8

acl auth proxy_auth REQUIRED

acl HEAD method HEAD

acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"

acl FullAccess          external memberof "/etc/squid/full_access.txt"

acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt"

acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt"

acl local-servers dstdomain "/etc/squid/acls/localservers.txt"

acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt"

acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt"

acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt"

acl blocksites dstdomain "/etc/squid/acls/block_sites.txt"

acl DIRECT src "/etc/squid/acls/direct_src_ip.txt"

acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt"

acl Smartconnect dstdomain ned.webscanningservice.com

acl Java browser Java/[0-9]

acl JavaSites dstdomain .gotomeeting.com

always_direct allow INTERNAL

always_direct allow local-servers

cache deny INTERNAL

cache deny local-servers

 

 

 

### squid defaults

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl SSL_ports port 443 563 33808

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

#allow custom ports

acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22

acl Safe_ports port 8200        # gotomeeting

acl Safe_ports port 31303 33808 # TD Merchant

acl Safe_ports port 8443        # Symantec SEP Manager

acl Safe_ports port 8014               # Symantec SEPM Client

acl SSL_ports port 9443         # pingdevfed

acl SSL_ports port 9444         # pingdevfed

acl SSL_ports port 5443         # pingdev

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#http_access deny !memberof

http_access allow localhost

http_access allow HEAD

http_access deny !our_networks

http_access allow Smartconnect

http_access deny blocksites all

http_access allow Approved_Domains

http_access deny RestrictedHost all

http_access allow FullAccess auth

http_access allow Java

http_access allow WindowsUpdate

http_access allow bypass_auth

http_access allow bypass_auth-external

http_access allow goto_meeting

http_access allow our_networks all

http_access allow Java our_networks JavaSites

http_access allow auth

http_access deny !auth

http_access deny all

 

 

deny_info error-blocksites blocksites

 

#Logs to look like apache

emulate_httpd_log on

 

#Level of Log debugging

debug_options ALL,1

 

#Log file locations

cache_log /var/log/squid/cache.log

access_log /var/log/squid/access.log

useragent_log /var/log/squid/useragent.log

 

#Hostname shown in error pages

visible_hostname proxy01p

http_port 3128

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

 

 

 

CONFIDENTIALITY NOTICE

This electronic message is confidential and may contain legally privileged information intended only for the use of the individual or company named above. 

If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified 

that any dissemination, distribution or copying of this communications is strictly prohibited. If you have received this communication in error, please immediately 

notify us by telephone, and return the original message to us at the address above

 

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users