Simple ACL help for Kerberos authenticated sessions

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Tue, 8 Aug 2017 20:11:33 +0100

Hi,

   When using the latest squid 4 release you can use  %note{group} to get 
the group information from the Negotiate Kerberos helper to transfer the PAC 
group SIDs to the external ACL helper.

squid.conf

...
external_acl_type test_acl ipv4 %LOGIN %note{group} 
/opt/squid-trunk/sbin/test_acl
acl squid_allow external test_acl
...

The helper script will initially look for the objectsid of the group 
SQUID_ALLOW (i.e. it will be only called when the helper is started and 
never again - good for performance).  After that the SIDs from the Kerberos 
PAC information is compared with the previously retrieved SID from AD.

#!/bin/bash
#
# GET SID for Group
#
export KRB5CCNAME=/tmp/squid_krb5cc
kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home
SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b 
"DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0 
~/^object/ ) print $2}'`

(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID")

#
# Loop over input
#
while [ 1 == 1 ] ; do
 read input
 found=0
 user=`echo $input | awk '{ print $1 }'`
 groups=`echo $input | awk '{ print $2 }'`
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user")
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups")
 if [ -n "$groups" ]; then
   while read group; do
     if [ "$group" == "$SID" ]; then
       (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group: 
$group")
       found=1
       echo "OK"
     fi
   done <<< "$(echo $groups | tr , "\n" )"
   if [ $found -eq 0 ]; then
     echo "ERR"
   fi
 else
   if [ $found -eq 0 ]; then
     echo "ERR"
   fi
 fi
done

Example log from the cache.log file

2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl' 
processes
2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed.
2017/08/08 20:02:23 kid1| Starting new test_acl helpers...
2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl' 
processes
2017/08/08 20:02:24| test_ACL: SID=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: user=Administrator@xxxxxxxxxx
2017/08/08 20:02:24| test_ACL: 
groups=AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVCAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVPAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBwIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVBgIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVAAIAAA==,AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group: 
AQUAAAAAAAUVAAAAjxbSIudxUpznEbHVUwQAAA==

Regards
Markus 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users