L.P.H. van Belle
2016-Feb-01 13:02 UTC
[Samba] [squid-users] ext_ldap_group_acl not working
Same as on the squid keytab file : chown root:squid /etc/squid3/ldappass.txt chmod 440 /etc/squid3/ldappass.txt Greetz,> -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens > alesironi > Verzonden: maandag 1 februari 2016 13:28 > Aan: squid-users at lists.squid-cache.org > Onderwerp: Re: [squid-users] ext_ldap_group_acl not working > > Amos Jeffries wrote > > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote: > >> > >> Hello everyone > >> > >> I'm a newbie regarding SQUID and in general on Linux. > >> I have an Active Directory environment (Windows Server 2012 R2) and a > >> Linux Debian 8 Jessie configured in the same network. > >> My goal is to install SQUID on Debian, integrate with Active Directory > >> using Kerberos and autohise users to use SQUID based on Active > Directory > >> asecurity group membership lookup. > >> Long story short, I followed the instructions here > >> > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox > y#Configure_Squid > >> > >> > >> My test environment: > >> Active Directory domain: KIDANEMEHRET.LOCAL > >> test user: KIDANEMEHRET\test-full > >> Security groups which is member of: "Internet Users Full", "Internet > >> Users Standard" > >> > >> Test done > >> After having properly configured my test client (Windows 7 joined to > the > >> domain), logged on with the test user KIDANEMEHRET\test-full, > configured > >> internet explorer to use the proxy, what I get everytime I try to > browse > >> the internet is a SQUID page telling me Access Denied. > >> > >> Quick Analisys > >> Having a look at access.log and cache.log (see attached), I understand > >> that user is properly authenticated (I see KIDANEMEHRET\test-full > >> properly written in each log). > >> For this reason I suspect the problem is in the authorisation part. > >> > >> I try then to run from terminal the program used in SQUID.CONF to check > >> authorisation (based on the wiki too); note that I'm running with sudo > >> otherwise with standard use I get no access to password file: > >> > > > > You need to ensure this test is run as the Squid low-privilege user > > account. Not as root via sudo. If the access to passwords file is also > > not working for Squids low-priv user account that could be the problem. > > > >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > >> "dc=kidanemehret,dc=local" -D > > > squid@ > > > -W /etc/squid3/ldappass.txt -f > "(&(objectclass=person)(sAMAccountName=%v) > > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" - > h > > domcon.kidanemehret.local test-full Internet%20Users%20Full > >> Do not get any result: waiting for minutes... > >> > > > > Add the -d option for debug output about what the helper is doing during > > those minutes. > > > > Amos > > > > _______________________________________________ > > squid-users mailing list > > > squid-users at .squid-cache > > > http://lists.squid-cache.org/listinfo/squid-users > > That's exactly the problem: if I run the test with normal (i.e.: no sudo), > I > get > ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt > I imagine I have to modify the security on that file, but how? Sorry for > the > dumb question.... > > > > > > > -- > View this message in context: http://squid-web-proxy- > cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working- > tp4675816p4675822.html > Sent from the Squid - Users mailing list archive at Nabble.com. > _______________________________________________ > squid-users mailing list > squid-users at lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users