My replies are interspersed below, in between lines of _______________________________________________________________________________________________________________________________________ On 6/04/2016 9:16 a.m., Craddock, Tommy wrote: > Hello, > > Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD. I can test from the command line: > > > /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D > Squid@xxxxxxxxxxx -W /etc/squid/password -f > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some > Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com tcraddock@xxxxxxxxxxx > Full.Access OK > I'm always a little suspicious about whitespace in the LDAP parameters. Such as you have for "ou=Some Group" in the -f filter. It does depend on how new vs old your Squid is whether that will be treated as two parameters or one passed to the helper by Squid. The commmad line test will always pass it as one parameter. If you can rework your ou= parameter to avoid the whitespace it might work better (just a maybe, but you do have Squid 3.1). _______________________________________________________________________________________________________________________________________________ MY REPLY: Amos, I moved my group into a different OU, called Some.OU, and it still gives me the same result in the cache.log: In squid.conf: external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid@xxxxxxxxxxx -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some.OU,dc=example,dc=com))" -h dc01.example.com In cache.log: 2016/04/07 09:26:55.123| aclMatchExternal: memberof("tcraddock@xxxxxxxxxxx Full.Access") = lookup needed 2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": entry=@0, age=0 2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": queueing a call. 2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock@xxxxxxxxxxx Full.Access": return -1. 2016/04/07 09:26:55.123| externalAclLookup: lookup in 'memberof' for 'tcraddock@xxxxxxxxxxx Full.Access' 2016/04/07 09:26:55.128| externalAclHandleReply: reply="ERR" 2016/04/07 09:26:55.128| external_acl_cache_add: Adding 'tcraddock@xxxxxxxxxxx Full.Access' = 0 2016/04/07 09:26:55.128| aclMatchExternal: memberof = 0 __________________________________________________________________________________________________________________________________________________________________ > > In the file referenced in the ACLs: > > acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" > acl FullAccess external memberof "/etc/squid/full_access.txt" > > > it has: > > cat /etc/squid/full_access.txt > Full.Access > > cat /etc/squid/restricted_access.txt > Restricted.Access > Speaking of white spaces. The only reason for using files there is when the group name contains a whitespace character. TO avoid a squid.conf parser bug (Sorry). If those dots are in fact dots and not spaces, then you dont need the extra files. ______________________________________________________________________________________________________________________________________ MY REPLY: Understood, changed this to: acl RestrictedAccess external memberof Restricted.Access acl FullAccess external memberof Full.Access _______________________________________________________________________________________________________________________________________ > > ### provide basic authentication via ldap for clients not > authenticated via kerberos/ntlm auth_param basic program > /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D > Squid@xxxxxxxxxxx -W /etc/squid/password -f sAMAccountName=%s -h > DC01.EXAMPLE.COM auth_param basic children 10 auth_param basic realm > Internet Proxy auth_param basic credentialsttl 1 minute > Your NTLM and Negotiate authenticators have a parameter requiring membership of the Ful.Access group as part of the auth process. That means you should be able to use the auth type to tell what group they are a member of. _______________________________________________________________________________________________________________________________________ How? Ive tried to find out how to use that in a ACL but I haven’t been able to find an example. Plus, since Im using negotiate with NTLM and Kerberos, if the client uses Kerberos, does the NTLM group membership parameter even get used? _______________________________________________________________________________________________________________________________________ > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > #http_access deny !memberof > http_access allow localhost > http_access allow HEAD > http_access deny !our_networks > http_access allow Smartconnect > http_access deny blocksites all > http_access allow Approved_Domains > http_access deny RestrictedHost all > http_access allow FullAccess auth NP: FullAccess and auth ACLs require authentication to take place. What is the point of the Java and WindowsUpdate and bypass_auth ACLs being tested *after* auth has already been required of the client? Surely the bypasses should be first and the auth related things after. > http_access allow Java > http_access allow WindowsUpdate > http_access allow bypass_auth > http_access allow bypass_auth-external http_access allow goto_meeting > http_access allow our_networks all http_access allow Java our_networks > JavaSites http_access allow auth http_access deny !auth http_access > deny all > Generally the best pattern to use when designing http_access sequences is this: + allow <things that bypass auth> + "deny !auth" + allow <things that require auth> + "deny all" Amos _______________________________________________________________________________________________________________________________________ How does this look? http_access deny !our_networks http_access allow manager localhost http_access allow HEAD http_access allow Smartconnect http_access allow Java http_access allow WindowsUpdate http_access allow bypass_auth http_access allow bypass_auth-external http_access allow Approved_Domains http_access allow goto_meeting http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny blocksites http_access deny RestrictedHost http_access deny !auth http_access allow FullAccess auth http_access allow auth http_access deny all _______________________________________________________________________________________________________________________________________ Thanks! Tommy Craddock ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users