Hi,
I have observed that squid3 when used with ntlm, passes the AD
usersname to squidguard in the below format
DOMAIN%5cUSERNAME
%5c represents " \ ". How do we overcome this, because squidguard is
trying to find username with the above format and off course its
failing.
Any workaround for this. I tried adding winbind seperator = \ in
smb.conf but still no luck,
On 21 March 2011 23:17, Go Wow <gowows@xxxxxxxxx> wrote:
> Hi,
>
> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
> filter my web traffic. I know this is not a right place to post it, I
> guess squidguard dev team is busy enhancing the product. Looking for
> help from you guys.
>
> My squid3 is authenticating users properly and parsing all rules. The
> problem is with squidguard which doesn't seem to filter out users.
> below is my squidguard config.
>
>
> dbhome /usr/local/squidGuard/db
> logdir /usr/local/squidGuard/log
> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com"
> ldapbindpass secretpass
> ldapcachetime 300
> ldapprotover 3
>
>
> src Allowed_Top_Mgmt {
> ldapusersearch
> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
> }
>
> dest ads {
> domainlist ads/domains
> urllist ads/urls
> redirect http://192.168.100.195/blocked.html
> }
> acl {
> Allowed-Top-Mgmt {
> pass !ads all
> redirect http://192.168.100.195/blocked.html
> }
> default {
> pass none
> redirect http://192.168.100.195/blocked.html
> }
> }
>
> My squidguard logs have these messages.
>
>
> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
> (params: dc=domain,dc=com, 2,
> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
> Accounts,dc=domain,dc=com)), sAMAccountName)
> [30393] Added LDAP source: domain%5cpeter.hank
> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>
> peter.hank user is unable to access anything or any other user from
> other group is not able to access anything. Peter.hank is a member of
> the above defined group, I have cross checked it.
>
>
> Please do give me some ways to test ldapuser. Some pointers would even work.
>
> Thanks
>
