[Samba] [squid-users] ext_ldap_group_acl not working
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 1 13:02:24 UTC 2016
Same as on the squid keytab file :
chown root:squid /etc/squid3/ldappass.txt
chmod 440 /etc/squid3/ldappass.txt
Greetz,
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> alesironi
> Verzonden: maandag 1 februari 2016 13:28
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] ext_ldap_group_acl not working
>
> Amos Jeffries wrote
> > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
> >>
> >> Hello everyone
> >>
> >> I'm a newbie regarding SQUID and in general on Linux.
> >> I have an Active Directory environment (Windows Server 2012 R2) and a
> >> Linux Debian 8 Jessie configured in the same network.
> >> My goal is to install SQUID on Debian, integrate with Active Directory
> >> using Kerberos and autohise users to use SQUID based on Active
> Directory
> >> asecurity group membership lookup.
> >> Long story short, I followed the instructions here
> >>
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> y#Configure_Squid
> >>
> >>
> >> My test environment:
> >> Active Directory domain: KIDANEMEHRET.LOCAL
> >> test user: KIDANEMEHRET\test-full
> >> Security groups which is member of: "Internet Users Full", "Internet
> >> Users Standard"
> >>
> >> Test done
> >> After having properly configured my test client (Windows 7 joined to
> the
> >> domain), logged on with the test user KIDANEMEHRET\test-full,
> configured
> >> internet explorer to use the proxy, what I get everytime I try to
> browse
> >> the internet is a SQUID page telling me Access Denied.
> >>
> >> Quick Analisys
> >> Having a look at access.log and cache.log (see attached), I understand
> >> that user is properly authenticated (I see KIDANEMEHRET\test-full
> >> properly written in each log).
> >> For this reason I suspect the problem is in the authorisation part.
> >>
> >> I try then to run from terminal the program used in SQUID.CONF to check
> >> authorisation (based on the wiki too); note that I'm running with sudo
> >> otherwise with standard use I get no access to password file:
> >>
> >
> > You need to ensure this test is run as the Squid low-privilege user
> > account. Not as root via sudo. If the access to passwords file is also
> > not working for Squids low-priv user account that could be the problem.
> >
> >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> >> "dc=kidanemehret,dc=local" -D
>
> > squid@
>
> > -W /etc/squid3/ldappass.txt -f
> "(&(objectclass=person)(sAMAccountName=%v)
> > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -
> h
> > domcon.kidanemehret.local test-full Internet%20Users%20Full
> >> Do not get any result: waiting for minutes...
> >>
> >
> > Add the -d option for debug output about what the helper is doing during
> > those minutes.
> >
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
>
> > squid-users at .squid-cache
>
> > http://lists.squid-cache.org/listinfo/squid-users
>
> That's exactly the problem: if I run the test with normal (i.e.: no sudo),
> I
> get
> ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt
> I imagine I have to modify the security on that file, but how? Sorry for
> the
> dumb question....
>
>
>
>
>
>
> --
> View this message in context: http://squid-web-proxy-
> cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-
> tp4675816p4675822.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the samba
mailing list