On 6/04/2016 9:16 a.m., Craddock, Tommy wrote: > Hello, > > Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD. I can test from the command line: > > > /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com > tcraddock@xxxxxxxxxxx Full.Access > OK > I'm always a little suspicious about whitespace in the LDAP parameters. Such as you have for "ou=Some Group" in the -f filter. It does depend on how new vs old your Squid is whether that will be treated as two parameters or one passed to the helper by Squid. The commmad line test will always pass it as one parameter. If you can rework your ou= parameter to avoid the whitespace it might work better (just a maybe, but you do have Squid 3.1). > > In the cache.log w/debug set to ALL,3: > > 2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0) > GETTING KERB TOKEN..... > ... > 2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcraddock@xxxxxxxxxxx' has been seen at a new IP address (172.23.5.193:56059) > 2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcraddock@xxxxxxxxxxx Full.Access") = lookup needed > 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": entry=@0, age=0 > 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": queueing a call. > 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": return -1. > 2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcraddock@xxxxxxxxxxx Full.Access' > 2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR" > 2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcraddock@xxxxxxxxxxx Full.Access' = 0 > 2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0 > > In the file referenced in the ACLs: > > acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" > acl FullAccess external memberof "/etc/squid/full_access.txt" > > > it has: > > cat /etc/squid/full_access.txt > Full.Access > > cat /etc/squid/restricted_access.txt > Restricted.Access > Speaking of white spaces. The only reason for using files there is when the group name contains a whitespace character. TO avoid a squid.conf parser bug (Sorry). If those dots are in fact dots and not spaces, then you dont need the extra files. > Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK. > > > Info about my setup: > > [root@clwslprox01p squid]# squid -v > Squid Cache: Version 3.1.23 > configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fake auth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -W p,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23 > > [root@clwslprox01p squid]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 6.7 (Santiago) > > Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD. Windows AD is 2008 and 2012 in my env. > > Squid.conf: > > > ### cache manager > cache_mgr pclan@xxxxxxxxxxx > > #Define the cache_peer to be used > # cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest > # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest > cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest > # cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest > # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest > > > ### negotiate kerberos and ntlm authentication > auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access -kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME > auth_param negotiate children 10 > auth_param negotiate keep_alive off > > ### pure ntlm authentication > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access > auth_param ntlm children 30 > auth_param ntlm keep_alive off > > ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm > auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM > auth_param basic children 10 > auth_param basic realm Internet Proxy > auth_param basic credentialsttl 1 minute > Your NTLM and Negotiate authenticators have a parameter requiring membership of the Ful.Access group as part of the auth process. That means you should be able to use the auth type to tell what group they are a member of. > ### ldap authorisation > external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM > > ### acl for proxy auth and ldap authorizations > acl our_networks src 172.16.0.0/12 10.0.0.0/8 192.170.0.0/24 > acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8 > acl auth proxy_auth REQUIRED > acl HEAD method HEAD > acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" > acl FullAccess external memberof "/etc/squid/full_access.txt" > acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt" > acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt" > acl local-servers dstdomain "/etc/squid/acls/localservers.txt" > acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt" > acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt" > acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt" > acl blocksites dstdomain "/etc/squid/acls/block_sites.txt" > acl DIRECT src "/etc/squid/acls/direct_src_ip.txt" > acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt" > acl Smartconnect dstdomain ned.webscanningservice.com > acl Java browser Java/[0-9] > acl JavaSites dstdomain .gotomeeting.com > always_direct allow INTERNAL > always_direct allow local-servers > cache deny INTERNAL > cache deny local-servers > > > > ### squid defaults > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > acl SSL_ports port 443 563 33808 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > #allow custom ports > acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 > acl Safe_ports port 8200 # gotomeeting > acl Safe_ports port 31303 33808 # TD Merchant > acl Safe_ports port 8443 # Symantec SEP Manager > acl Safe_ports port 8014 # Symantec SEPM Client > acl SSL_ports port 9443 # pingdevfed > acl SSL_ports port 9444 # pingdevfed > acl SSL_ports port 5443 # pingdev > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > #http_access deny !memberof > http_access allow localhost > http_access allow HEAD > http_access deny !our_networks > http_access allow Smartconnect > http_access deny blocksites all > http_access allow Approved_Domains > http_access deny RestrictedHost all > http_access allow FullAccess auth NP: FullAccess and auth ACLs require authentication to take place. What is the point of the Java and WindowsUpdate and bypass_auth ACLs being tested *after* auth has already been required of the client? Surely the bypasses should be first and the auth related things after. > http_access allow Java > http_access allow WindowsUpdate > http_access allow bypass_auth > http_access allow bypass_auth-external > http_access allow goto_meeting > http_access allow our_networks all > http_access allow Java our_networks JavaSites > http_access allow auth > http_access deny !auth > http_access deny all > Generally the best pattern to use when designing http_access sequences is this: + allow <things that bypass auth> + "deny !auth" + allow <things that require auth> + "deny all" Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users