> > >> Sent: Wednesday, May 29 2019 6:42 > > >> From: Ilias Clifton > > >> > > >> I have Squid 3.5.27 running on Ubuntu 18.04.2, and have been unsuccesfull in being able to authenticate users via ldap (kerberos is working well) > > >> > > >> What else can I do for troubleshooting? > > >> > > What I do is take one of the access.log lines and read through the squid.conf (whole thing) to see what squid would do with that transaction. Most 40* status problems are with http_access ordering, so quickly spotted. > > If you can provide those details in full im happy to do so for you. Or someone experienced with a similar config may spot the issue. > See squid.conf below.. Any other config files you need to see? The users authenticating via ldap on phones are in an Active directory group listed in the file /etc/squid/full_access.txt - They do get full internet access when authenticating via kerberos. I've checked they are entering the correct passwords - although there are special characters in the passwords eg. `^( - Not sure if that could make a difference. Like I said, it works when running basic_ldap_auth on the command line. ### cache manager cache_mgr proxy@xxxxxxxxxx auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -r -s GSS_C_NO_NAME auth_param negotiate children 10 startup=2 idle=1 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid/basic_ldap_auth -d -R -b "DC=domain,DC=com" -D proxyuser@xxxxxxxxxx -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h dc.domain.com auth_param basic children 10 startup=2 idle=1 auth_param basic realm Internet Proxy auth_param basic credentialsttl 10 minutes external_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=com" -D proxyuser@xxxxxxxxxx -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy, DC=domain, DC=com))" -h dc.domain.com ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED acl BlockedAccess external memberof "/etc/squid/blocked_access.txt" acl StandardAccess external memberof "/etc/squid/standard_access.txt" acl FullAccess external memberof "/etc/squid/full_access.txt" acl allowedsites dstdomain "/etc/squid/allowedsites.txt" acl blockedsites dstdomain "/etc/squid/blockedsites.txt" acl macaddresses arp "/etc/squid/macaddresses.txt" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost # allow unauthenticated access to macaddresses in list http_access allow macaddresses http_access deny !auth http_access deny BlockedAccess all http_access allow allowedsites http_access allow FullAccess auth http_access deny blockedsites http_access allow StandardAccess auth http_access deny all cache_mem 1024 MB cache_dir aufs /var/spool/squid 27648 16 256 ### logging ccess_log /var/log/squid/access.log squid err_page_stylesheet /etc/squid/errorpage.css error_directory /etc/squid/error_pages ### squid Debian defaults http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
