On 26/01/2017 4:28 a.m., Leonardo Bacha Abrantes wrote: > Hi guys, > > I have an active directory running on windows server 2008 r2 and squid > (version 3.5.20 - CentOS 7) authenticating via LDAP (without kerberos). > The ldap authentication is working, the trouble is to create ACLs based on > active directory groups. > > > OBS: When I run both basic_ldap_auth and ext_ldap_group_acl commands > manually as squid user in console to test, I receive 'OK' as answer. > > > --->>> My squid.conf: > > auth_param basic program /usr/lib64/squid/basic_ldap_auth -P -R -b > ou=Users,ou=city,ou=country,dc=company,dc=local -D > CN=bindUser,DC=company,DC=local -W PasswdFile -f sAMAccountName=%s -h > 192.168.1.9 > auth_param basic children 10 > auth_param basic realm XXXXX > auth_param basic credentialsttl 10 minutes > > external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R > -b OU=city,OU=country,DC=company,DC=local -D > CN=bindUser,DC=company,DC=local -W PasswdFile -h 192.168.1.9 -f > '(&(objectClass=person)(sAMAccountName=%v)(memberOf=CN=%a,OU=Groups,OU=city,OU=country,dc=company,dc=local))' > > #Also tried memberOf=CN=%*g* > > acl fullaccess external memberof squid_fullaccess > > acl LdapUsers proxy_auth REQUIRED > http_access allow fullaccess LdapUsers Two things that you really NEED to know: 1) Order is important. <http://wiki.squid-cache.org/SquidFaq/OrderIsImportant> So the http_access line you are using tells Squid to check the group and only for members of the group is authentication to be performed. How exactly do you expect Squid to know what user to check the groups for *before* authentication has happened? 2) the popup is a browser decision. All Squid is doing is telling the browser that credentials are needed to use the proxy, and what types it can accept. If the browser were properly doing its SSO the popup would not happen. There is nothing we can do about that. What you should do is deny non-authenticated users and only then check the groups for people who have authenticated: http_access deny !LdapUsers http_access allow fullaccess If the popup still occurs, then consder whether the browser was supposed to have the right credentials to begin with (ie. registered to the AD domin controller). If it does why is it not sending them instead of doing the popup. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
