Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Aug 2010 01:02:31 +1200

Tom Tux wrote:
> Hi Amos
>
> Thanks a lot for this explanation. Both configurations seperately -
> native kerberos and native ldap - are working fine. But in
> combination, there is still one problem.
>
> Here is my actual configuration (combined two mechanism) again:
>
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
> auth_param negotiate children 50
> auth_param negotiate keep_alive on
> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers"
> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>
> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600
> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g
> "DenyInternetUsers"
> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP
>
> # LDAP-Fallback
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f
> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))"
> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx
> auth_param basic children 20
> auth_param basic realm "Internet Access"
> auth_param basic credentialsttl 2 hour
> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED src 0.0.0.0

The "src" and "0.0.0.0" usernames (yes *usernames*) should be ignored by
Squid.

>
>
> And here the relevant part of the http_access-directives:
> http_access deny DENY_INTERNET_ACCESS
> http_access deny !INTERNET_ACCESS
> http_access deny !INTERNET_ACCESS_LDAP
> http_access allow INTERNET_ACCESS
> http_access allow INTERNET_ACCESS_LDAP
> http_access deny all
>
> With this configuration, I'm able to access with kerberos, but never
> with ldap. I always got a "access denied". What directives do I have
> to change/add, to get both accesses (kerberos & ldap)?

Run Squid with "debug_options 82,3 28,3" to check which ACLs are
matching and which denying.

I notice the !INTERNET_ACCESS is required to pass before anything is
allowed. It could be that your Basic protocol credentials are not being
accepted by the Negotiate/Kerberos protocol group helper and inverting
into a deny.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.6
   Beta testers wanted for 3.2.0.1
Received on Wed Aug 11 2010 - 13:02:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 13 2010 - 12:00:02 MDT