[squid-users] Re: ext_kerberos_ldap_group_acl - how to ?

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 8 Feb 2013 18:25:00 -0000

Have you looed at tha man pages ?

NAME
       ext_kerberos_ldap_group_acl - Squid LDAP external acl group helper
for
       Kerberos or NTLM credentials.

       Version 1.3.0sq

SYNOPSIS
       ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ]
[-N
       Netbios-Realm-List] [-m Max-Depth] [-u Ldap-User] [-p
Ldap-Password]
       [-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g
Group-Realm-
       List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List

DESCRIPTION
       ext_kerberos_ldap_group_acl is an installed binary and allows Squid
to
       connect to a LDAP directory to authorize users via LDAP groups.
Options
       are specified as parameters on the command line, while the
username
       (e.g. user , user_at_REALM , NDOMAINser ) to be checked against the
LDAP
       directory are specified on subsequent lines of input to the helper,
one
       username per line.

       ext_kerberos_ldap_group_acl will determine the ldap server name
from
       DNS SRV and/or A records or a local hosts file (e.g. for the
Kerberos
       Realm SUSE.HOME it will look for an SRV record _ldap._tcp.SUSE.HOME
and
       an A record SUSE.HOME or a SUSE.HOME hosts entry). If no domain
infor-
       mation is available from the username the LDAP server will be
deter-
       mined through the command line options.

       ext_kerberos_ldap_group_acl requires as a minimum the -g , -t
or -T
       option which provides the LDAP group name the user has to belong
too.
       For Active Directory a recursive group lookup is implemented until
a
       max depth specified by -m depth. For other LDAP servers a
RFC2307bis
       schema of groups is assumed.

       Different group names can be specified for different domains using
a
       group_at_domain syntax. As expected by the external_acl_type construct
of
       Squid, after specifying a username and group followed by a new
line,
       this helper will produce either OK or ERR on the following line to
show
       if the user is a member of the specified group.

OPTIONS
       -h Display the binary help and command line syntax info
using
                   stderr.

       -d Write debug messages to stderr.

       -i Write informational messages to stderr.

       -s Use SSL for the LDAP connection.

                   The CA certificate file can be set via the
environment
                   variable TLS_CACERTFILE (default
/etc/ssl/certs/cert.pem)
                   (OpenLDAP).

                   The SSL certificate database can be set via the
environment
                   variable SSL_CERTDBPATH (default /etc/certs) (Sun
and
                   Mozilla LDAP SDK).

       -a Allow SSL without certificate verification.

       -D Realm Default Kerberos domain to use for usernames which do
not
                   contain domain information (e.g. for users using
basic
                   authentication).

       -N Netbios-Realm-List
                   A list of Netbios name mappings to Kerberos domain names
of
                   the form
Netbios-Name_at_Kerberos-Realm[:Netbios-Name_at_Ker-
                   beros-Realm] (e.g. for users using NTLM authentication).

       -m Max-Depth
                   Maximal depth of recursive group search.

       -u Ldap-User
                   Username for LDAP server.

       -u Ldap-Password
                   Password for LDAP server.

                   As the password needs to be printed in plain text in
your
                   Squid configuration it is strongly recommended to use
an
                   account with minimal associated privileges. This to
limit
                   the damage in case someone could get hold of a copy of
your
                   Squid configuration file or extracts the password used
from
                   a process listing.

       -b Ldap-Bind-Path
                   LDAP server bind path.

       -u Ldap-URL LDAP server URL in form ldap[s]://server:port

       -S ldap server list
                   list of ldap servers of the
form
                   lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]

       -g Group-Realm-List
                   A list of group name per Kerberos domain of the
form
                   Group|Group@|Group_at_Realm[:Group@|Group_at_Realm]

       -t Hex-Group-Realm-List
                   A list of group name per Kerberos domain of the
form
                   Group|Group@|Group_at_Realm[:Group@|Group_at_Realm] where
group
                   is in UTF-8 hex format

       -T Hex-Group-Hex-Realm-List
                   A list of group name per Kerberos domain of the
form
                   Group|Group@|Group_at_Realm[:Group@|Group_at_Realm] where
group
                   and domain is in UTF-8 hex format

CONFIGURATION
       This helper is intended to be used as an external_acl_type helper
in
       squid.conf.

       external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600
%LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP1
       external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600
%LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP2
       acl group1 external kerberos_ldap_group1
       acl group2 external kerberos_ldap_group2

       NOTE: The following squid startup file modification may be
required:
       Add the following lines to the squid startup script to point squid to
a
       keytab file which contains the HTTP/fqdn service principal for
the
       default Kerberos domain. The fqdn must be the proxy name set in IE
or
       firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab
       export KRB5_KTNAME
       If you use a different Kerberos domain than the machine itself is
in
       you can point squid to the seperate Kerberos config file by setting
the
       following environmnet variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf
       export KRB5_CONFIG
       ext_kerberos_ldap_group_acl will determine automagically the right
ldap
       server. The following method is used:

       1) For user_at_REALM
          a) Query DNS for SRV record _ldap._tcp.REALM
          b) Query DNS for A record REALM
          c) Use LDAP_URL if given

       2) For user
          a) Use domain -D REALM and follow step 1)
          b) Use LDAP_URL if given

       The Groups to check against are determined as follows:

       1) For user_at_REALM
          a) Use values given by -g option which contain a @REALM
e.g. -g
       GROUP1_at_REALM:GROUP2_at_REALM
          b) Use values given by -g option which contain a @ only
e.g. -g
       GROUP1@:GROUP2@
          c) Use values given by -g option which do not contain a realm
e.g.
       -g GROUP1:GROUP2

       2) For user
          a) Use values given by -g option which do not contain a realm
e.g.
       -g GROUP1:GROUP2

       3) For NDOMAIN\user
          a) Use realm given by -N NDOMAIN_at_REALM and then use values given
by
       -g option which contain a @REALM e.g. -g GROUP1_at_REALM:GROUP2_at_REALM

       To support Non-ASCII character use -t GROUP or -t GROUP_at_REALM
instead
       of -g where GROUP is the hex UTF-8 representation e.g.

          -t 6d61726b7573 instead of -g markus

       The REALM must still be based on the ASCII character set. If REALM
con-
       tains also non ASCII characters use -T GROUP_at_REALM where GROUP
and
       REALM are hex UTF-8 representation e.g.

         -T 6d61726b7573_at_57494e3230303352322e484f4d45 instead
 of -g
       markus_at_WIN2003R2.HOME

       For a translation of hex UTF-8 see for
example
       http://www.utf8-chartable.de/unicode-utf8-table.pl

       The ldap server list can be: server - In this case server can be
used
       for all Kerberos domains server@ - In this case server can be used
for
       all Kerberos domains server_at_domain - In this case server can be
used
       for Kerberos domain
domain
       server1a_at_domain1:server1b_at_domain1:server2_at_domain2:server3@:server4 -
A
       list is build with a colon as seperator

AUTHOR
       This program was written by Markus Moeller
<markus_moeller_at_com-
       puserve.com>

       This manual was written by Markus Moeller
<markus_moeller_at_com-
       puserve.com>

COPYRIGHT
       This program and documentation is copyright to the authors named
above.

       Distributed under the GNU General Public License (GNU GPL) version 2
or
       later (GPLv2+).

QUESTIONS
       Questions on the usage of this program can be sent to the Squid
Users
       mailing list <squid-users_at_squid-cache.org>

REPORTING BUGS
       Bug reports need to be made in English. See
http://wiki.squid-
       cache.org/SquidFaq/BugReporting for details of what you need to
include
       with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs
<squid-bugs_at_squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing
list
       <squid-dev_at_squid-cache.org>

SEE ALSO
       squid(8) negotiate_kerberos_auth(8)
       RFC1035 - Domain names - implementation and specification,
       RFC2782 - A DNS RR for specifying the location of services (DNS SRV),
       RFC2254 - The String Representation of LDAP Search Filters,
       RFC2307bis - An Approach for Using LDAP as a Network Information
Ser-
       vice http://www.padl.com/~lukeh/rfc2307bis.txt,"
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

                                                ext_kerberos_ldap_group_acl(8)

"Kris Glynn" <kris.glynn_at_virginaustralia.com> wrote in message
news:C0BFCFE42E56BB43ACEC98F3F0088FA1285756C0_at_empexcemxprd01.virginblue.internal...
Hi,

I can not for the life of me work out how to use ext_kerberos_ldap_group_acl
with squid 3.2.6

I have authentication with negotiate_kerberos_auth working fine but I also
want authorisation helper for group membership.

Relevant squid.conf config below..

# Kerberos Auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 40
auth_param negotiate keep_alive on

# Group ACL Helper
external_acl_type ldap_group ttl=60 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g ALL@ -D my.internal

What is the ALL@ for ? Does someone have a working config against Windows
2008 AD/LDAP ?

To be honest, at the moment I am using this external helper
ext_wbinfo_group_acl which is working fine..

external_acl_type ldap_group ttl=300 children-max=50 children-startup=40
%LOGIN /usr/lib64/squid/ext_wbinfo_group_acl -K

.. but is ext_kerberos_ldap_group_acl better or should I leave authorisation
up to ext_wbinfo_group_acl since I have it working?

Is either better than the other?

Thanks
Kris

The content of this e-mail, including any attachments, is a confidential
communication between Virgin Australia Airlines Pty Ltd (Virgin Australia)
or its related entities (or the sender if this email is a private
communication) and the intended addressee and is for the sole use of that
intended addressee. If you are not the intended addressee, any use,
interference with, disclosure or copying of this material is unauthorized
and prohibited. If you have received this e-mail in error please contact the
sender immediately and then delete the message and any attachment(s). There
is no warranty that this email is error, virus or defect free. This email is
also subject to copyright. No part of it should be reproduced, adapted or
communicated without the written consent of the copyright owner. If this is
a private communication it does not represent the views of Virgin Australia
or its related entities. Please be aware that the contents of any emails
sent to or from Virgin Australia or its related entities may be periodically
monitored and reviewed. Virgin Australia and its related entities respect
your privacy. Our privacy policy can be accessed from our website:
www.virginaustralia.com
Received on Fri Feb 08 2013 - 18:25:23 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 09 2013 - 12:00:04 MST