Messages

Hello!
Sorry for my English.
Main task:
1. To restrict domain users to login access groups
2. Transparent user authentication through LDAP (which would not have needed to enter each time login and password).
If you implement tasks using RADIUS authorization users are – it works, but each entry requires authorization to complain about users is very inconvenient. In the manuals and not found the setting OpnSense to authorize AD users via RADIUS.

The ability to limit user access to the Internet through user groups. Tried to set User and Group ACL – it installs but when you add any domain group SQUID falls and does not rise. In the logs there are errors, I checked the files, so here is one in the path is missing:
: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: - he's just not at all.
I understand that in manual it will not write, it must be generated by the machine, probably not working Helper for Kerberos.

The part of the log after restarting SQUID:

2018/02/02 09:03:26|   pinger: ICMPv6 socket opened
2018/02/02 09:03:26|   pinger: ICMP socket opened.
2018/02/02 09:03:26|   pinger: Initialising ICMP pinger ...
2018/02/02 09:03:26   kid1| Closing Pinger socket on FD 33
Page faults   with physical i/o: 0
Maximum Resident   Size: 350096 KB
CPU Usage:   0.091 seconds = 0.058 user + 0.033 sys
Squid Cache   (Version 3.5.27): Terminated abnormally.
FATAL: The   ext_group_ldap_0 helpers are crashing too rapidly, need help!
2018/02/02 09:03:26   kid1| Took 0.00 seconds (10503521.13 entries/sec).
2018/02/02 09:03:26   kid1| Finished. Wrote 2983 entries.
2018/02/02 09:03:26   kid1| storeDirWriteCleanLogs: Starting...
2018/02/02 09:03:26   kid1| Stop sending ICP from [::]:3130
2018/02/02 09:03:26   kid1| Stop receiving ICP on [::]:3130
2018/02/02 09:03:26   kid1| Closing FTP port 192.168.30.50:2121
2018/02/02 09:03:26   kid1| Closing HTTP port 192.168.30.50:3128
2018/02/02 09:03:26   kid1| Closing HTTP port [::1]:3128
2018/02/02 09:03:26   kid1| Closing HTTP port 127.0.0.1:3128
2018/02/02 09:03:26   kid1| Too few ext_group_ldap_0 processes are running (need 1/5)
2018/02/02 09:03:26   kid1| WARNING: ext_group_ldap_0 #Hlpr1 exited
2018/02/02 09:03:26   kid1| store_swap_size = 92060.00 KB
2018/02/02 09:03:26   kid1| Validated 2983 Entries
2018/02/02 09:03:26   kid1| Completed Validation Procedure
2018/02/02 09:03:26   kid1| Beginning Validation Procedure
2018/02/02 09:03:26   kid1| Took 0.01 seconds (229939.10 objects/sec).
2018/02/02 09:03:26   kid1| 0 Swapfile clashes avoided.
2018/02/02 09:03:26   kid1| 0 Duplicate URLs purged.
2018/02/02 09:03:26   kid1| 0 Objects cancelled.
2018/02/02 09:03:26   kid1| 0 Objects expired.
2018/02/02 09:03:26   kid1| 2983 Objects loaded.
2018/02/02 09:03:26   kid1| 0 With invalid flags.
2018/02/02 09:03:26   kid1| 0 Invalid entries.
2018/02/02 09:03:26   kid1| 2983 Entries scanned
2018/02/02 09:03:26   kid1| Finished rebuilding storage from disk.
2018/02/02 09:03:26   kid1| Done reading /var/squid/cache swaplog (2983 entries)
2018/02/02 09:03:26   kid1| Sending ICP messages from [::]:3130
2018/02/02 09:03:26   kid1| Accepting ICP messages on [::]:3130
2018/02/02 09:03:26   kid1| Accepting reverse-proxy FTP Socket connections at local=192.168.30.50:2121 remote=[::] FD 30 flags=9
2018/02/02 09:03:26   kid1| Accepting HTTP Socket connections at local=192.168.30.50:3128 remote=[::] FD 29 flags=9
2018/02/02 09:03:26   kid1| Accepting NAT intercepted HTTP Socket connections at local=[::1]:3128 remote=[::] FD 28 flags=41
2018/02/02 09:03:26   kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 27 flags=41
2018/02/02 09:03:26   kid1| Adaptation support is off.
2018/02/02 09:03:26   kid1| Squid plugin modules loaded: 0
2018/02/02 09:03:26   kid1| Pinger socket opened on FD 33
2018/02/02 09:03:26   kid1| HTCP Disabled.
2018/02/02 09:03:26   kid1| Finished loading MIME types and icons.
2018/02/02 09:03:26   kid1| Set Current Directory to /var/squid/cache
2018/02/02 09:03:26   kid1| Using Least Load store dir selection
2018/02/02 09:03:26   kid1| Rebuilding storage in /var/squid/cache (clean log)
2018/02/02 09:03:26   kid1| Max Swap size: 102400 KB
2018/02/02 09:03:26   kid1| Max Mem size: 262144 KB
2018/02/02 09:03:26   kid1| Using 8192 Store buckets
2018/02/02 09:03:26   kid1| Target number of buckets: 1402
2018/02/02 09:03:26   kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2018/02/02 09:03:26   kid1| Logfile: opening log stdio:/var/log/squid/store.log
2018/02/02 09:03:26   kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2018/02/02 09:03:26   kid1| Unlinkd pipe opened on FD 23
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| Logfile: opening log stdio:/var/log/squid/access.log
2018/02/02 09:03:26   kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes
2018/02/02 09:03:26   kid1| helperOpenServers: No 'auth-user.php' processes needed.
2018/02/02 09:03:26   kid1| helperOpenServers: Starting 0/5 'auth-user.php' processes
2018/02/02 09:03:26   kid1| Adding nameserver 192.168.30.4 from /etc/resolv.conf
2018/02/02 09:03:26   kid1| Adding domain ght.su from /etc/resolv.conf
2018/02/02 09:03:26   kid1| DNS Socket created at 0.0.0.0, FD 8
2018/02/02 09:03:26   kid1| DNS Socket created at [::], FD 6
2018/02/02 09:03:26   kid1| Initializing IP Cache...
2018/02/02 09:03:26   kid1| With 467892 file descriptors available
2018/02/02 09:03:26   kid1| Process Roles: worker
2018/02/02 09:03:26   kid1| Process ID 20864
2018/02/02 09:03:26   kid1| Service Name: squid
2018/02/02 09:03:26   kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1...
2018/02/02 09:03:26   kid1| Set Current Directory to /var/squid/cache

После установки плагина Group and Users - squid работает.
Но как только добавляем группу ACL (любую из AD) - OpnSense группу видит, плагин запускается, но валит squid.

по логам squid есть ошибка:
FATAL: The   ext_group_ldap_0 helpers are crashing too rapidly, need help!

Содержимое ProxyUserACL.conf:
external_acl_type ext_group_ldap_0 ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -t 44656e795573657241436c -D DOMAIN.LOCAL
acl group_ldap_0 external ext_group_ldap_0
acl domains_0 url_regex DOMAIN\.LOCAL

http_access deny group_ldap_0 domains_0


Я так понимаю, что отсутствует файл по пути /usr/local/libexec/squid/ext_kerberos_ldap_group_acl

Всю голову сломал, маны перечитал, но через терминал не дает ничего сделать.
Как сконфигурировать этот ACL??? в ручную???
Что делать? ACL по доменным группам очень нужны...
Может кто пробовал, скиньте содержимое этого файла

Или обновления ждать до 29-01 (и то не факт что ошибка исправится)

Коллеги! подскажите ответ или намекните хоть малость, всю голову сломал... в какую сторону копать?

Собственно:
Прокся в прозрачном режиме работает, авторизацию пользователи проходят по керберос. Часть юзеров добавлена в OU=SQUIDGroup, часть юзеров не добавлена, но когда включена Web Proxy Single Sign-On - то все юзеры ломятся в инет (в прозрачном режиме), если Web Proxy Single Sign-On - то запрашивает логин и пароль (но даже тот юзер, что находится в OU-SQUIDGroup - не может авторизоваться, хоть и добавлен на проске в список юзеров и проходит Tester).

В итоге требуется: 1. отрезать от инета юзеров которых нет в OU. 2. По возможности авторизация пользователей должна проходить прозрачно (без ввода логина/пароля).

Как быть?

100 машин в сети поэтому не вариант работать по IP, только с UserName