On 1/01/25 23:34, Enfal Gok wrote:
...
*The Problem:*
* When users authenticate via Kerberos, the Squid ACLs based on AD
groups are not being matched.
* All users fall into the default |http_access deny all| rule,
even if they belong to a permitted AD group.
6.
*Log Example:*
In the |cache.log| file, I see the following entries:
|WARNING: external_acl_type 'ldap_group' queue overload ...
You have more lookups being performed than the helper processes can
handle. Either they are too slow or too many queries per second are
happening.
First thing to do (quick workaround) is to expand how many helper
processes are running, and how many queries they can have queued.
These are done with the "children-max=" option on external_acl_type
lines. Since you have 4 ACLs sharing the helpers, IMO you should set
that to a 4x the default. Expand as needed if the problem remains.
Avoid "concurrency" as the helper you are using does not (yet) support
that. If anything, set it to "0" explicitly.
Checklist.cc answer DENIED for match ... setAuth: WARNING: Graceful
closure on conn due to connection-auth erase from
ConnStateData::SwanSong cleanup |
*Request for Assistance:*
* How can I ensure that Squid properly applies AD group-based ACLs
when users authenticate via Kerberos?
The ACL and http_access portions of your config look fine to me. At
least for the LDAP_Group helper you are using.
If you can try to convert to the newer "note ACL" way of checking groups.
The latest of Kerberos negotiate_kerberos_auth helper should provide the
"group=" annotations to Squid during the auth credentials check. Then
you can replace the "external" type ACL with a "note" type, and drop the
group lookup entirely.
Like so:
"
acl FullAccess note group SSID-of-FullAccess
acl Restricted note group SSID-of-Restricted
acl Filtered note group SSID-of-Filtered
acl Blocked note group SSID-of-Blocked
"
Where the SSID-of-XX are the values the auth helper produces for those
groups.
* Are there specific configurations or known limitations for combining
Kerberos authentication with LDAP group validation in Squid?
Big ones I know of are true for any use of helpers:
* speed of the lookups,
* resource overheads of using more processes,
* HOL blocking for busy proxies.
Unfortunately LDAP group helper right now ticks all of those checkboxes
for worst-case usage.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
