Re: Re: SquidGuard - Ldap doesnt filter users

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 23/03/11 22:25, Go Wow wrote:
> Hi,
>
>   I have observed that squid3 when used with ntlm, passes the AD
> usersname to squidguard in the below format
>
>   DOMAIN%5cUSERNAME
>
> %5c represents " \ ". How do we overcome this, because squidguard is
> trying to find username with the above format and off course its
> failing.

Yes, usernames are URL-encoded to avoid binary and other reserved 
characters like escape-\ which people seem to like putting in there.

You need to contact the squidGuard people.

Amos

> Any workaround for this. I tried adding winbind seperator = \ in
> smb.conf but still no luck,
>
>
>
> On 21 March 2011 23:17, Go Wow<gowows@xxxxxxxxx>  wrote:
> > Hi,
> >
> > I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
> > filter my web traffic. I know this is not a right place to post it, I
> > guess squidguard dev team is busy enhancing the product. Looking for
> > help from you guys.
> >
> > My squid3 is authenticating users properly and parsing all rules. The
> > problem is with squidguard which doesn't seem to filter out users.
> > below is my squidguard config.
> >
> >
> > dbhome /usr/local/squidGuard/db
> > logdir /usr/local/squidGuard/log
> > ldapbinddn      "cn=Ldap,cn=Users,dc=domain,dc=com"
> > ldapbindpass    secretpass
> > ldapcachetime   300
> > ldapprotover    3
> >
> >
> > src Allowed_Top_Mgmt {
> >          ldapusersearch
> > "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
> > }
> >
> > dest ads {
> >     domainlist  ads/domains
> >     urllist     ads/urls
> >     redirect http://192.168.100.195/blocked.html
> > }
> > acl {
> >     Allowed-Top-Mgmt {
> >         pass !ads all
> >         redirect http://192.168.100.195/blocked.html
> >         }
> >     default {
> >         pass none
> >         redirect http://192.168.100.195/blocked.html
> >         }
> > }
> >
> > My squidguard logs have these messages.
> >
> >
> > [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
> > (params: dc=domain,dc=com, 2,
> > (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
> > Accounts,dc=domain,dc=com)), sAMAccountName)
> > [30393] Added LDAP source: domain%5cpeter.hank
> > [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
> >
> > peter.hank user is unable to access anything or any other user from
> > other group is not able to access anything. Peter.hank is a member of
> > the above defined group, I have cross checked it.
> >
> >
> > Please do give me some ways to test ldapuser. Some pointers would even work.
> >
> > Thanks


--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5