@Amos Thanks for this so to recap if I currently have auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth auth_param negotiate children 20 auth_param negotiate keep_alive on external_acl_type InternetAccessBanking %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -u ldaps://aesdc02.surcouf.local:636 -b cn=SSSUsers,dc=surcouf,dc=local -g InternetAccessBanking I could replace it by auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth auth_param negotiate children 20 auth_param negotiate keep_alive acl InternetAccessBanking note group S-1-5-21-123456789-123456789-123456789-1234 Note where S-1-5-21-123456789-123456789-123456789-1234 is the SID for the group InternetAccessBanking -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: 16 March 2017 09:24 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: kerb auth groups KV note acl config On 15/03/2017 10:18 p.m., Mike Surcouf wrote: > This is bulleted as a new feature for v4. > Yet there is no way to test this without a quick reply letting me know the basic usage. > Anyone got a snippet on how this is setup > [ For TL;DR skip to the end of this mail. All this is first block is just describing how it works. ] This should be doable with Squid-3.4+ or at least 3.5. It requires only the note ACL in squid plus a helper that sends group= response annotations. It is marked as v4 becasue that is where the first helper with such support is bundled. You can run that helper with older Squid, for example by downloading Markus lastest release and building your own helper. An auth helper which supports it does not needs anything configured by you. It will "just work" (or not if it lacks annotation support). That part is just a matter of finding out / ensuring your auth helper provides the group kv-pairs. The usual command-line tests can probably show that. The auth helper by Markus should be producing a set of group=X annotations automatically, one for each group the user is a member of. Where the X is what AD calls a "SID" value representing a unique ID for each group. After those are received by Squid the note ACL type can be used in squid.conf to match any of them quickly without an external helper lookup for the group details. That enables reliable group ACLs anywhere in squid.conf where they were previously at the mercy of external helper result timeouts. In absence of that input from the auth helper, an external_acl_type helper or *any* helper really :-) can also send the same annotations to Squid - with the same note ACL config later. In its current form this is obviously most useful if you know the SID that group names map to and can configure the note ACL appropriately. I am hopeful that other helpers may be able to produce named groups or such. But the values are likely to be specific to whatever the auth system can provide. For group lookup and comparison by name (the 'old' way) you can still use an external helper. As I understand it AD requires two lookups; one to find the users SID memberships and one to find the group name->SID mapping for the group(s) being checked - then compare. The first is not needed if the SID (%note{group}) is passed to the helper instead of username (%LOGIN). This part does require v4, and has not been much tested to see where the %note format code works for external_acl_type helpers (and where not). YMMV. IIRC Markus was waiting on support for %note{group} format code on external_acl_type config lines. But that happened a long while back now. > -----Original Message----- > From: Mike Surcouf > > Outputting the groups as KV pairs in AD environments on auth seems like a great performance enhancement and will allow me to ditch my ldap lookups. > Is there any docs on how to set this up? > Even looking at the source I can't seem to work it out. > I would like to test and potentially contribute to the DOCS although I am only a git user and bazaar would be new to me so I may just post my experience in this thread. > > From what I can see I need to setup a note acl but I am unsure of the key names etc. Correct. The key name is "group" ;-) > > A short example would be great. > As far as I am aware it should look like this: acl blah note group SID-12345-762576257263 request_max_size 1 MB blah Maybe also the -m flag on the ACL definition if recent changes merged the group notes into a list. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users