[squid-users] squid_ldap_group and Squid version 2.5.STABLE1

From: Tim Neto <[email protected]>
Date: Mon, 12 Jan 2004 16:28:17 -0500

Hello,

I have Squid running here at Komatsu Canada with basic LDAP
authentication against a SunONE directory server. My Squid host is a
RedHat 9.0 (Linux 2.4) on a Dell PowerEdge 1650. The Squid version is
the default shipped with RedHat 9.0.

I need to get the LDAP group support enabled. I've read through as
much documentation as I can without my pea-brain exploding, but I keep
getting the following error.

    squid (pid 6251 6249) is running...
    20040112 15:04:09| _*squid.conf line 83: acl kclit_grp ldap_group
    kclit*_
    20040112 15:04:09| _*aclParseAcleLine: Invalid ACL type 'ldap_group'*_
    20040112 15:04:09| squid.conf line 85: http_access allow kclit_ncd
    kclit_grp
    20040112 15:04:09| aclParseAccessLine: ACL name 'kclit_grp' not found.

The error on line 85 I understand is due to the error on line 83. My
santitized configuration file is:

/etc/squid/squid.conf
=================================================================================
# ----------------------------------------------------------------------
http_port 142.230.9.19:80
http_port 192.168.2.250:8888

# ----------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

cache_mgr WebMaster@komatsu.ca
# ----------------------------------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -h
ldap_server.komcdn.ca -p 489 -P -b o=kc -f "uid=%s"

auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

*external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h
ldap_server.komcdn.ca -p 489 -P -b o=kc -f
"(&(cn=%g)(uniquemember=uid=%u,*)(objectClass=groupOfUniqueNames))"
*
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ----------------------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 81 # Alternate http port.
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# ----------------------------------------------------------------------
# Note: KCL deny rules must exist before any allow rules.
#
acl no_kazaa dstdomain .kazaa.com
acl no_puretracks dstdomain .puretracks.com
acl no_uproar dstdomain .uproar.com
acl no_ncd dstdomain .ncd.com

http_access deny no_kazaa
http_access deny no_puretracks
http_access deny no_uproar
#
# block the test domain from all users.
http_access deny no_ncd

# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kc_networks src 192.168.2.0/8
acl kc_users proxy_auth REQUIRED
acl dmz_networks src 142.230.9.17/28

# allow only this test domain for IT test group
acl kcit_ncd dstdomain .ncd.com

*acl kcit_grp ldap_group kcit*

*http_access allow kcit_ncd kcit_grp
*http_access allow kc_networks kc_users

# ----------------------------------------------------------------------
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

# ----------------------------------------------------------------------
httpd_accel_host dmz_host.kc.ca
httpd_accel_port 8000
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# ----------------------------------------------------------------------
coredump_dir /var/spool/squid
=================================================================================

If you count the lines in the file above, the count will not reflect the
lines listed in the error message. I have removed some acl definitions
that are for Komatsu Canada only. IP and port numbers are changed to
perserve security.

I've tested the ldap filters defined for the squid_ldap_group plug-in.
I tested the filter with SunONE's ldapsearch command. I get an expected
results for positive and negative queries. The Linux host can access
the LDAP server. The auth_param defined logic does work. My users are
getting challenged and appropriately authenticated.

Does anyone know if the "external_acl_type" directive works with Squid
2.5.STABLE1? Am I pissing in the wind here. Does anyone have it
working? I read that some are trying to use squid_ldap_group in the
user lists, but I do not sense too much success. (Note, the man page
in RedHat 9.0 for squid_ldap_group sucks. It is too terse. And, it
has typo's. "gorup"???)

Any help would be greatly appreciated.

Thanks.

Tim

-- 
----------------------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer              Komatsu Canada Limited
Ph#: 905-625-6292 x265                 1725B Sismet Road
Fax: 905-625-6348                      Mississauga, Ontario, Canada
E-Mail: tneto@komatsu.ca               L4W 1P9
----------------------------------------------------------------------
Received on Mon Jan 12 2004 - 14:28:17 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:05 MST