Re: helper protocol in 3.4
Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (samaccountname=mm) memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (cn=Group2) objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search:
Re: helper protocol in 3.4
Apologies, I had a minor error for Heimdal detection. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:kv7ku6$e5f$1...@ger.gmane.org... Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (samaccountname=mm) memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (cn=Group2) objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search
Re: helper protocol in 3.4
Hi Amos, I may have a helper for that case soon. Thank you Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:52106190.2030...@treenet.co.nz... On 18/08/2013 9:32 a.m., Markus Moeller wrote: Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus Yes kv-pairs are supported in 3.4. I reserved group= so the auth helper can do exactly that. For usage in either external ACL helpers, or in a group type ACL. However, at present the internal parts of Squid do not exist to do anything with it. The planned definition is to have helpers return one group= kv-pair for each group the auth helper can identify and attach them as annotation data to the credentials pair. Amos
Re: helper protocol in 3.4
On 18/08/2013 9:32 a.m., Markus Moeller wrote: Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus Yes kv-pairs are supported in 3.4. I reserved group= so the auth helper can do exactly that. For usage in either external ACL helpers, or in a group type ACL. However, at present the internal parts of Squid do not exist to do anything with it. The planned definition is to have helpers return one group= kv-pair for each group the auth helper can identify and attach them as annotation data to the credentials pair. Amos
