Fix configuration for external AD

main/squid/ChangeLog

@@ -1,5 +1,5 @@
 HEAD
-	+ Added _externalServiceKerberosKeytab method
+	+ Fix configuration for external AD
 	+ Do not listen on internal interfaces
 4.0
 	+ Remove ads on deprecated features

main/squid/src/EBox/Squid.pm

@@ -644,27 +644,29 @@ sub _writeSquidConf
     push @writeParam, ('realm'     => $krbRealm);
     push @writeParam, ('noAuthDomains' => $self->_noAuthDomains());
 
-    my $ldap = $users->ldap();
-    push @writeParam, ('dn'       => $ldap->dn());
-    push @writeParam, ('roDn'     => $self->_kerberosServiceAccountDN());
-    push @writeParam, ('roPasswd' => $self->_kerberosServiceAccountPassword());
 
+    my $ldap = $users->ldap();
     my $mode = $self->authenticationMode();
-    if ($mode eq AUTH_MODE_EXTERNAL_AD) {
-        my $externalAD = $self->global()->modInstance('samba')->ldap();
-        my $dc = $externalAD->dcHostname();
+    if ($mode eq AUTH_MODE_INTERNAL) {
+        push @writeParam, ('dn'       => $ldap->dn());
+        push @writeParam, ('roDn'     => $self->_kerberosServiceAccountDN());
+        push @writeParam, ('roPasswd' => $self->_kerberosServiceAccountPassword());        
+    }  elsif ($mode eq AUTH_MODE_EXTERNAL_AD) {
+        my $dc = $ldap->dcHostname();
         my $adAclTtl = EBox::Config::configkeyFromFile(AUTH_AD_ACL_TTL_KEY,
             SQUID_ZCONF_FILE);
         my $adNegativeAclTtl =
             EBox::Config::configkeyFromFile(
                 AUTH_AD_NEGATIVE_ACL_TTL_KEY, SQUID_ZCONF_FILE);
-        my $adPrincipal = $externalAD->hostSamAccountName();
+        my $adPrincipal = $ldap->hostSamAccountName();
 
         push (@writeParam, (authModeExternalAD => 1));
         push (@writeParam, (adDC        => $dc));
         push (@writeParam, (adAclTTL    => $adAclTtl));
         push (@writeParam, (adNegativeAclTTL => $adNegativeAclTtl));
         push (@writeParam, (adPrincipal => $adPrincipal));
+    } else {
+        throw EBox::Exceptions::Internal("Invalid authentication mode: $mode");
     }
 
     $self->writeConfFile(SQUID_CONF_FILE, 'squid/squid.conf.mas', \@writeParam, { mode => '0640'});

main/squid/stubs/squid.conf.mas

@@ -241,8 +241,6 @@ http_access <% $policy %> <% $timeAcls %> <% $acl %>
 %   $sslBumpOptions = 'ssl-bump cert=/etc/squid3/self_signed_cert.pem  key=/etc/squid3/self_signed_key.pem options=ALL';
 % }
 http_port 0.0.0.0:<% $port %> <% $transKey%> <% $sslBumpOptions %>
-# END_TAG #
-
 
 visible_hostname (frontal)<% $hostfqdn %>
 coredump_dir /var/spool/squid3
@@ -274,7 +272,9 @@ cache_peer 127.0.0.1 parent 3130 0 no-query proxy-only login=*:nopassword
 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -i -s <% $principal %>@<% $realm %>
 auth_param negotiate children 10
 auth_param negotiate keep_alive on
+%   if  (not $authModeExternalAD) {
 external_acl_type ldapgroup  ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v3 -b <% $dn %>   -p 3268 -D <% $roDn %> -w <% $roPasswd %> -P -F "(&(userPrincipalName=%s)(objectclass=user))" -f  "(&(samAccountName=%g)(objectclass=group)(member=%u))"
+%   }
 % } else {
 auth_param basic realm Zentyal HTTP proxy
 auth_param basic program /usr/lib/squid3/basic_ldap_auth -v3 -b <% $dn %> -f "(&(samAccountName=%s)(objectclass=user))" -p 3268 -D <% $roDn %> -w <% $roPasswd %> -P