Assistance Needed for Kerberos Authentication with AD Group-Based ACLs in Squid

[Enfal Gok <enfal.gok2004@xxxxxxxxx>]

Dear Squid Support Team,

I am currently configuring Squid to use Kerberos authentication with Active Directory (AD) group-based access control, but I am encountering an issue where the ACLs for AD groups are not being applied correctly. Below are the details of my setup and the challenges I am facing:

Setup Details:

1. Kerberos:
• Kerberos authentication is working successfully.
• The service principal and keytab are correctly configured, and the kinit command works as expected.
2. LDAP:
• LDAP connectivity is functional. I can successfully query the Active Directory using ldapsearch:

  ldapsearch -x -H ldap://172.16.10.254 -D "CN=Administrator,CN=Users,DC=demo,DC=local" -w Passw0rd -b "DC=demo,DC=local" "(sAMAccountName=jon.jones)"
  

• The output includes the correct memberof attributes showing the user's group memberships.
3. Squid Configuration:
   I have configured Squid for LDAP group-based access control as follows:

   external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R \
       -b "DC=demo,DC=local" \
       -D "CN=Administrator,CN=Users,DC=demo,DC=local" \
       -w Passw0rd \
       -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))" \
       -h 172.16.10.254
   
   acl FullAccess external ldap_group FullAccess
   acl Restricted external ldap_group Restricted
   acl Filtered external ldap_group Filtered
   acl Blocked external ldap_group Blocked
   
   http_access deny Blocked
   http_access allow FullAccess
   http_access allow Restricted allowed_sites
   http_access deny Restricted
   http_access deny Filtered bad_sites
   http_access allow Filtered
   http_access deny all
   

4. What Works:
• Kerberos authentication is functioning as expected.
• The ext_ldap_group_acl utility works correctly when tested manually:

  echo "jon.jones FullAccess" | /usr/lib/squid/ext_ldap_group_acl -R \
      -b "DC=demo,DC=local" \
      -D "CN=Administrator,CN=Users,DC=demo,DC=local" \
      -w Passw0rd \
      -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=demo,DC=local))" \
      -h 172.16.10.254
  

  The output returns OK, indicating that the LDAP group membership is correctly validated.
5. The Problem:
• When users authenticate via Kerberos, the Squid ACLs based on AD groups are not being matched.
• All users fall into the default http_access deny all rule, even if they belong to a permitted AD group.
6. Log Example:
   In the cache.log file, I see the following entries:

   WARNING: external_acl_type 'ldap_group' queue overload
   ...
   Checklist.cc answer DENIED for match
   ...
   setAuth: WARNING: Graceful closure on conn due to connection-auth erase from ConnStateData::SwanSong cleanup
   

Request for Assistance:

• How can I ensure that Squid properly applies AD group-based ACLs when users authenticate via Kerberos?
• Are there specific configurations or known limitations for combining Kerberos authentication with LDAP group validation in Squid?

I would greatly appreciate any guidance or suggestions to resolve this issue. If additional logs or details are needed, please let me know.

Thank you for your support!

Best regards,
Enfal gok

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users