[Samba] [squid-users] ext_ldap_group_acl not working
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 1 13:02:24 UTC 2016
Same as on the squid keytab file :
chown root:squid /etc/squid3/ldappass.txt
chmod 440 /etc/squid3/ldappass.txt
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Verzonden: maandag 1 februari 2016 13:28
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] ext_ldap_group_acl not working
> Amos Jeffries wrote
> > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
> >> Hello everyone
> >> I'm a newbie regarding SQUID and in general on Linux.
> >> I have an Active Directory environment (Windows Server 2012 R2) and a
> >> Linux Debian 8 Jessie configured in the same network.
> >> My goal is to install SQUID on Debian, integrate with Active Directory
> >> using Kerberos and autohise users to use SQUID based on Active
> >> asecurity group membership lookup.
> >> Long story short, I followed the instructions here
> >> My test environment:
> >> Active Directory domain: KIDANEMEHRET.LOCAL
> >> test user: KIDANEMEHRET\test-full
> >> Security groups which is member of: "Internet Users Full", "Internet
> >> Users Standard"
> >> Test done
> >> After having properly configured my test client (Windows 7 joined to
> >> domain), logged on with the test user KIDANEMEHRET\test-full,
> >> internet explorer to use the proxy, what I get everytime I try to
> >> the internet is a SQUID page telling me Access Denied.
> >> Quick Analisys
> >> Having a look at access.log and cache.log (see attached), I understand
> >> that user is properly authenticated (I see KIDANEMEHRET\test-full
> >> properly written in each log).
> >> For this reason I suspect the problem is in the authorisation part.
> >> I try then to run from terminal the program used in SQUID.CONF to check
> >> authorisation (based on the wiki too); note that I'm running with sudo
> >> otherwise with standard use I get no access to password file:
> > You need to ensure this test is run as the Squid low-privilege user
> > account. Not as root via sudo. If the access to passwords file is also
> > not working for Squids low-priv user account that could be the problem.
> >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> >> "dc=kidanemehret,dc=local" -D
> > squid@
> > -W /etc/squid3/ldappass.txt -f
> > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -
> > domcon.kidanemehret.local test-full Internet%20Users%20Full
> >> Do not get any result: waiting for minutes...
> > Add the -d option for debug output about what the helper is doing during
> > those minutes.
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at .squid-cache
> > http://lists.squid-cache.org/listinfo/squid-users
> That's exactly the problem: if I run the test with normal (i.e.: no sudo),
> ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt
> I imagine I have to modify the security on that file, but how? Sorry for
> dumb question....
> View this message in context: http://squid-web-proxy-
> Sent from the Squid - Users mailing list archive at Nabble.com.
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the samba