Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nikolai Savelyev2017-05-12 05:48:57
Squid
Nikolai Savelyev, 2017-05-12 05:48:57

How to defeat periodic Access Denid in squida?

I configure squid with kerberos authentication. All computers in the freeipa domain. According to the documentation, I made the necessary keytab.

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP/squid01.example.com

Authentication passes, everything is fine.
Next, I need to delimit access to the Internet.
external_acl_type ipa_inet_full ttl=300 negative_ttl=60 ipv4 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -d -g [email protected] -D example.com

And then dances with a tambourine begin. For the most part, the helper correctly determines the user's belonging to a group, but periodically issues an ERR and then access is lost for a minute. Then it works again.
Since in the logs at this moment we see a whack for the authenticated user, then the point is in the helper.
How to overcome?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
N
Nikolay Savelyev, 2017-05-16
@nikweter

In general, I solved the issue. It was not a helper at all, but a crooked freeipa setting. There is some kind of compat mode, it is not clear why it is needed. So ... When migrating to freeipa from openldap, openfire didn’t want to pull users from there - supposedly they are duplicated (which is true, since users in freeipa are stored in two branches -

cn=users,cn=accounts,cn=domain,cn=lan и cn=users,cn=compat,cn=domain,cn=lan
). I disabled this mode on one server. For some reason, helpers on this server began to check ownership only by the user's GID, and all other groups were ignored, although ldapsearch worked fine. Where the mode is enabled everything is OK. I did not create a normal ldap filter for openfire - too lazy. Just pointed out:
/lib64/squid/ext_kerberos_ldap_group_acl -a -g [email protected] -D fs.lan -S "dc.fs.lan dc2.fs.lan dc4.fs.lan"

As I understand it, getting ERR on the first server, the helper climbs further down the list. The remaining 2 work correctly, so everything is fine. Maybe later I will make openfire with ipa-compat-manage enable work.

Report
B
bugs bunny, 2017-05-12
@yoga655

auth_param negotiate children - possibly missing. Or AD can't handle the flow of requests.

Similar questions
K
Konstantin2017-07-28 10:12:42
Read error. The system returned: 104 connection reset by peer. Why? 0Reply
A
AndreyTT2015-09-03 09:35:01
Which user should run the proxy server as and which user should own the /etc/squid3 folder? 1Reply
I
Ivan Semenov2017-08-17 07:31:02
How to pass headers from dansguardian to squid? 1Reply
I
I_AM_SHEF2020-02-03 17:51:52
Long loading squid pages? 0Reply
G
Godless2020-02-28 11:52:23
SquidGuard or equivalent with support for groups in ActiveDirectory via LDAPS? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question