Re: [Freeipa-users] squid problems when upgrading to 6.4
On 03/13/2013 11:02 PM, Natxo Asenjo wrote: On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. yes, the guide is accurate, but upgrading to meet a bunch of angry users is not nice ;-) I'm more curious as to why your squid init script was replaced instead of the usual scenario of having the new file saved as .rpmsave. beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-) ; we should not be touching the init scripts. The init scripts source the files in /etc/sysconfig/* By the way, I came accross http://squidkerbauth.sourceforge.net/ squid_kerb_ldap to allow/block stuff in the proxy depending on ldap group membership. I have not tested it yet, but will post it if(when) I get it working. You can also check out SquidGuard, which is available in EPEL. ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid and what it does is verify the group membership of the users so you can build ACLs based on that. squidguard is nice. I like privoxy too ;-) I've written an article for Active Directory, however it is just as easy to use it with IPA. https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/ cool, thanks. Hi guys, Dale, do you plan to update the howto on FreeIPA wiki to fix the configuration section? If not, I can try to update it myself. I agree with Natxo that having the configuration in /etc/sysconfig/squid is safer than having it hacked in the init script. Thanks both to sharing this info btw :-) Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/14/2013 08:07 AM, Martin Kosek wrote: On 03/13/2013 11:02 PM, Natxo Asenjo wrote: On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. yes, the guide is accurate, but upgrading to meet a bunch of angry users is not nice ;-) I'm more curious as to why your squid init script was replaced instead of the usual scenario of having the new file saved as .rpmsave. beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-) ; we should not be touching the init scripts. The init scripts source the files in /etc/sysconfig/* By the way, I came accross http://squidkerbauth.sourceforge.net/ squid_kerb_ldap to allow/block stuff in the proxy depending on ldap group membership. I have not tested it yet, but will post it if(when) I get it working. You can also check out SquidGuard, which is available in EPEL. ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid and what it does is verify the group membership of the users so you can build ACLs based on that. squidguard is nice. I like privoxy too ;-) I've written an article for Active Directory, however it is just as easy to use it with IPA. https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/ cool, thanks. Hi guys, Dale, do you plan to update the howto on FreeIPA wiki to fix the configuration section? If not, I can try to update it myself. I agree with Natxo that having the configuration in /etc/sysconfig/squid is safer than having it hacked in the init script. Thanks both to sharing this info btw :-) Martin Yes mate, I've literally just walked into the office and connected to vpn. Will be updating momentarily. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQYYOAAoJEAJsWS61tB+qsxQQAIYH66+JbEfCYzz8IwFmRsMF S1sypbom5pyVcUlw9Bcd846dLoKF5iD+FxPOHG+kQY5qyz2I7lx6MW47jE0Giimc w3T5ZdkqC85KLIrr+zLievy922j+MFaMQKMMbURS0DTcl4KI7vLpRy6hnCelXPb3 KMoEDsSxtN0K3nxs9nokKWIjCOrMUBCH9AtZb94nVbwPeyzo58v9cN7kqSIVVXQO aQCz8fipM9dgoCPMpxT53nWd5+CTMURuhdf1MVHCcvRyUNFyFWTPo97lZ5Gzyqjd svT0ho4q2jn9+hxawyfkI0tNY57DXKGF+5iti2X1EQmC43V1Grg+WbSiZIxPDOZg hzX6Eh7STLRmj6IHdoiX0kqAirYFp54Uma4uZdWQYRKr0PY+gOXDDjaSdqmqvEZK qvJRxQiP8ouT5QgwS2lp9KiEfjk5p/X1QvXKNWFKVB6B31rxYNBcpcYTLvjSUl9l 74Q5kTlr37xnmwNGVGQETLZXu3rHa9UfZrwdcEVGWu2exUxeKJI05iMqhqj8WO5X R/bWkQxmDIgA9M26o1bBJP1gVWUW6/bNpGlhpgIwTx2A2UTfzNmhqeEyVjPnT/B1 a4smehAJRLDvxQXBH9e5+pI9GK5esp3rYcrm6sYJNDhrdZ0D2MuF5gmaotEMZqCH B47sN4nub3xYZTWc4fYG =5Wzd -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/14/2013 08:11 AM, Dale Macartney wrote: On 03/14/2013 08:07 AM, Martin Kosek wrote: On 03/13/2013 11:02 PM, Natxo Asenjo wrote: On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. yes, the guide is accurate, but upgrading to meet a bunch of angry users is not nice ;-) I'm more curious as to why your squid init script was replaced instead of the usual scenario of having the new file saved as .rpmsave. beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-) ; we should not be touching the init scripts. The init scripts source the files in /etc/sysconfig/* By the way, I came accross http://squidkerbauth.sourceforge.net/ squid_kerb_ldap to allow/block stuff in the proxy depending on ldap group membership. I have not tested it yet, but will post it if(when) I get it working. You can also check out SquidGuard, which is available in EPEL. ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid and what it does is verify the group membership of the users so you can build ACLs based on that. squidguard is nice. I like privoxy too ;-) I've written an article for Active Directory, however it is just as easy to use it with IPA. https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/ cool, thanks. Hi guys, Dale, do you plan to update the howto on FreeIPA wiki to fix the configuration section? If not, I can try to update it myself. I agree with Natxo that having the configuration in /etc/sysconfig/squid is safer than having it hacked in the init script. Thanks both to sharing this info btw :-) Martin Yes mate, I've literally just walked into the office and connected to vpn. Will be updating momentarily. Dale Article updated http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQY1RAAoJEAJsWS61tB+q+30P/jTcKGqeiqOM7o92e94wdS8x GlSW3VorfEqywD2CFmhSQhK3G1d5XLsqXjth70s0Iup0Ciqt27BwdTmaDNRry8x7 Fp0yWFwFYk72h808ZHggAt9zTTLzZcx1cLeax6Z7/T0++E4zCL6ZFg+vXfJhVp9A ntaFBs/u6+ctKO9ySTTNWtNk1AF9coWrAUl7AlTdT+w7qQCSt6WCVIiu66cvYsQ8 MAt4kdsbXo21su1fReHD7lclemkdqCT5EGoahQllSkFZXhB93iAeJc3SWE80GZEd 7oYyvX41fqKCCnr4G+O1/hZE8FSwtHHUNI9PIsD/in407HZLPQ8Llix3eBUkwwuP C/HjDbNJIc8VYISvnlmZk64Wx4DF2KK//9CsfLldbNhqRjCFtbjgkrLzYKw2efv2 Dngj2H+V1lxDa6Senqv7JLMlUnXY69di7zWRptIeSH6qrJy+Q8JDQX/zT3Pb8Fxu /28v9UMuao4hDYX/atIw3z08SPvMqsI7fu3sefYhUDwQSbYqH4yr3yZTPO10Js0B kdxTY/RNAkzkgYn0ufIo3reZxMh9g2qGqKsGqotKfI3cVQ1UVBkIDiy0+R6sgVNU Ixw2LSS94j4yWsAndpbkTJSjsRAB4pVNvEmszI3dI++oPteRyXdY7zcyfls561dL J3oeOuqaDFF7047nxHpV =j9EX -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
On 03/14/2013 09:41 AM, Dale Macartney wrote: On 03/14/2013 08:11 AM, Dale Macartney wrote: On 03/14/2013 08:07 AM, Martin Kosek wrote: On 03/13/2013 11:02 PM, Natxo Asenjo wrote: ... Dale, do you plan to update the howto on FreeIPA wiki to fix the configuration section? If not, I can try to update it myself. I agree with Natxo that having the configuration in /etc/sysconfig/squid is safer than having it hacked in the init script. Thanks both to sharing this info btw :-) Martin Yes mate, I've literally just walked into the office and connected to vpn. Will be updating momentarily. Dale Article updated http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On Great. Thanks! Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
On Thu, Mar 14, 2013 at 9:41 AM, Dale Macartney d...@themacartneyclan.com wrote: Article updated http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On awesome! Thanks, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/13/2013 09:20 PM, Natxo Asenjo wrote: hi, following the howto http://freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On I had setup squid. Tonight running the updates the changes to the init script http://freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On#Change_the_.2Fetc.2Finit.d.2Fsquid_startup_script_to_read_in_the_keytab_on_service_start. were gone and so the internet was not working. Not nice. The howto should specify that the config must come in /etc/sysconfig/squid instead. Then the upgrade has no nasty consequences. So /etc/sysconfig/squid should look like this: # default squid options SQUID_OPTS= # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 # default squid conf file SQUID_CONF=/etc/squid/squid.conf # kerberos stuff KRB5_KTNAME=/etc/squid/krb5.keytab export KRB5_KTNAME Hi Natxo I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. I'm more curious as to why your squid init script was replaced instead of the usual scenario of having the new file saved as .rpmsave. By the way, I came accross http://squidkerbauth.sourceforge.net/ squid_kerb_ldap to allow/block stuff in the proxy depending on ldap group membership. I have not tested it yet, but will post it if(when) I get it working. You can also check out SquidGuard, which is available in EPEL. I've written an article for Active Directory, however it is just as easy to use it with IPA. https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/ -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQPN6AAoJEAJsWS61tB+qG8kQAJU3bKwnzwWoiD5jhl0CM6jq 3n2GnbRLY8AIO3wuSKeyaLi1IHq/DcpLME85bcR/6JqM2PaqcDs0J1swhF8Z8436 5UWqVsnsdWKP/oamY4XAI7E+gZHE0eggNPgq8a7rYX/97epmPpZTBSfGDEYkJEMZ tJx3DrATvvmJ97c6XzASgbjd8D459a7MBilxyUf5+w4yexlqmxcxyb3dezgZ+mgT MHP7Ex7i7+2sWsBQb2E72CeqoLrwsgTgMT8Ywl5E5m5w2atstUTGCKUSt7uem+o1 xeD4z2hUp6GEzy+IeHf/Ro/dvzax7t0+Ya32doWXozKvYMU6qk6fmqQWjw07EJME oo4FIAy3b5tjDCrvve/JRYTsbOXdLYEMZx6fRb65gbplbgxK/R0Yp6V5BQHgesqF 3nCLQv8iBAzeokPg0VOysKOkfhHvRqX+q1hB0FgDMIRCgzpqPdOAb4I6SeInttah hKoPfnp6njGmOTlCqKccLq5RyZMTbvxlJ2hcNoYVwGpftUkY4I0dsUAXDoQ8UDyk xQ/QsDMO+3oMX+4yynJm3/I3AQltOMXZUliJDz99fcyRbLI3pV0eJybumrLuHdxA 7+/CokuFHAcchjWS19BGuOn3a6NWXTG2qmisZgaoVc8k3Uwi2PLp4puJQBtlY5o0 6Np35uYyfdcWZC3jIhTg =5DAX -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] squid problems when upgrading to 6.4
On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. yes, the guide is accurate, but upgrading to meet a bunch of angry users is not nice ;-) I'm more curious as to why your squid init script was replaced instead of the usual scenario of having the new file saved as .rpmsave. beats me. Anyway, config stuff should go in /etc/sysconfig, period ;-) ; we should not be touching the init scripts. The init scripts source the files in /etc/sysconfig/* By the way, I came accross http://squidkerbauth.sourceforge.net/ squid_kerb_ldap to allow/block stuff in the proxy depending on ldap group membership. I have not tested it yet, but will post it if(when) I get it working. You can also check out SquidGuard, which is available in EPEL. ha, squid_kerb_ldap is not a proxy, it is an authenticator for squid and what it does is verify the group membership of the users so you can build ACLs based on that. squidguard is nice. I like privoxy too ;-) I've written an article for Active Directory, however it is just as easy to use it with IPA. https://www.dalemacartney.com/2012/07/06/web-proxy-filtering-with-squidguard-using-active-directory-group-memberships/ cool, thanks. -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
