Re: [squid-users] squid_ldap_group authorisation of 2000 AD Groups

From: Oliver Hookins <[email protected]>
Date: Tue, 30 Nov 2004 15:32:34 +1100

Yet more progress... I have also put in some authentication
configuration using squid_ldap_auth. Now, a login box comes up in the
browser and once my username and password is given all is well. Users
not in the Internet group can put in their username and password but are
denied access after that.

Here's the real question - is it actually possible to have group
AUTHORISATION without requiring the user to enter any login details
(AUTHENTICATION), i.e. the username comes from Windows or something?

Thanks,
Oliver

Oliver Hookins wrote:
> OK I've sorted out the parameters to use for squid_ldap_group. I have
> this line in squid.conf:
>
> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
> cn=Users,dc=domain,dc=local -f
> "(&(cn=%g)(member=%u)(objectClass=group))" -B
> cn=Users,dc=domain,dc=local -F "cn=%s" -D
> cn=Oliver,cn=Users,dc=domain,dc=local -w password 192.168.150.100
>
> This brings back OK when I put in users who are in various groups. For
> example I am in the Internet group so when I enter "Oliver Internet" it
> returns OK. However access through the proxy is now giving me Cache
> Denied Request errors:
>
> The following error was encountered:
>
> Cache Access Denied.
>
> Sorry, you are not currently allowed to request:
>
> http://www.google.com/from this cache until you have authenticated
> yourself.
>
> My other acl lines that control access are below:
>
> acl group1 external ldap_group Internet
> http_access allow group1
>
> What could be going on, since I am definitely a member of the group that
> I am allowing access to?
>
> Regards,
> Oliver
>
> Oliver Hookins wrote:
>
>> I'm trying to authorise users of the proxy by determining if they are
>> a member of a certain Active Directory group or not. Yes, I've read
>> the documentation, FAQ, mailing list archives and man pages but it is
>> still confusing to me. The version in question is 2.5STABLE3.
>>
>> On the 2000 domain controller I have standard users in the Users
>> container. The authorised internet users will also be a member of a
>> group called Internet. So far I've been using ldapsearch to verify
>> what sort of information will be coming out of the LDAP but I find it
>> hard to make this correspond to the parameters I'm putting into
>> squid_ldap_group.
>>
>> For example, here's an ldapsearch line that will give me the Internet
>> group back with a list of members:
>>
>> ldapsearch -x -b cn=Internet,cn=Users,dc=domain,dc=local -D
>> cn=Administrator,cn=Users,dc=domain,dc=local -W -h 192.168.150.100
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=Internet,cn=Users,dc=domain,dc=local> with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # Internet, Users, domain.local
>> dn: CN=Internet,CN=Users,DC=domain,DC=local
>> member: CN=Cameron,CN=Users,DC=domain,DC=local
>> member: CN=Oliver,CN=Users,DC=domain,DC=local
>> cn: Internet
>> groupType: -2147483646
>> instanceType: 4
>> distinguishedName: CN=Internet,CN=Users,DC=domain,DC=local
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=local
>> objectClass: top
>> objectClass: group
>> objectGUID:: I6No/vayb0iE8uD6mxvtzg==
>> objectSid:: AQUAAAAAAAUVAAAAPeMITdvrDFCoN9ZlVAYAAA==
>> name: Internet
>> sAMAccountName: Internet
>> sAMAccountType: 268435456
>> uSNChanged: 746952
>> uSNCreated: 742415
>> whenChanged: 20041128224030.0Z
>> whenCreated: 20041126041439.0Z
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> How do I turn this into a useful line for squid_ldap_group? I've tried
>> the following with no success:
>>
>> /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f
>> "(&(name=%g)(member=%u)(objectClass=group))" -D
>> cn=Administrator,cn=Users,dc=domain,dc=local 192.168.150.100
>>
>> Oliver Internet
>> ERR
>> CN=Oliver,CN=Users,DC=domain,DC=local Internet
>> ERR
>>
>> Also the fact that 2000 doesn't allow you to view what is going on
>> with the LDAP queries makes it even harder. Any help will be greatly
>> appreciated.
>>
>> Regards,
>> Oliver
>>
>
>
> This communication is intended only for the person or entity to which it
> is addressed and may contain confidential and/or privileged material.
> Any review, retransmission, dissemination or other use of, or taking any
> action in reliance on, this communication by persons or entities other
> than the intended recipient is prohibited. Exhibition IT Services Pty
> LTD makes no express or implied representation or warranty that this
> electronic communication or any attachment is free from computer viruses
> or other defects or conditions which could damage or interfere with the
> recipients data, hardware or software. This communication and any
> attachment may have been modified or otherwise interfered with in the
> course of transmission.
>

This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
Received on Mon Nov 29 2004 - 21:33:15 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:02 MST