On Tue, Aug 30, 2016 at 4:05 AM, alberto <alberto.furia@xxxxxxxxx> wrote:
Hi all,I have a squid3 installation with kerberos ldap groups authentication.Everything works like a charm except for one of my user that belongs to too many groups (more than 50): this user can not browse any site because of authentication problem.I always see TCP_DENIED/407 in the squid log file for that user.Is there a parameter that I can change in the squid.conf file to increase the number of groups allowed during authentication?FYI I'm on Debian Jessie and using this kerberos configuration
if you are using group membership authorization purely to allow/deny access globally (rather than for specific sites), you can tweak your filter to accomplish that...
====squid.conf snippet=======
[snip]
################# Basic Auth ########################auth_param basic program /usr/lib/squid3/basic_ldap_auth -D srvc_squid@xxxxxxxxxxx -W /etc/squid3/ldappwd.txt -h "example.lcl" -b "OU=root,DC=EXAMPLE,DC=LCL" -s sub -f (&(objectClass=Person)( sAMAccountName=%s))
this filter (after "-f") could be tweaked like this:
(&(objectClass=Person)(sAMAccountName=%s)(|(memberOf=CN=group1,OU=somewhere,dc=EXAMPLE,dc=LCL)(memberOf=CN=group2,OU=somewhere,dc=EXAMPLE,dc=LCL))
That would allow the user to login if they are member of either group. (that syntax/schema is for AD, feel free to adjust as needed)
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
