Thanks for your help
We cannot do anything on squid side to fix this, like while passing
the username to squidguard, we strips the " domain\ " part and pass
only username.
On 23 March 2011 15:42, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 23/03/11 22:25, Go Wow wrote:
>>
>> Hi,
>>
>> I have observed that squid3 when used with ntlm, passes the AD
>> usersname to squidguard in the below format
>>
>> DOMAIN%5cUSERNAME
>>
>> %5c represents " \ ". How do we overcome this, because squidguard is
>> trying to find username with the above format and off course its
>> failing.
>>
>
> Yes, usernames are URL-encoded to avoid binary and other reserved characters
> like escape-\ which people seem to like putting in there.
>
> You need to contact the squidGuard people.
>
> Amos
>
>>
>> Any workaround for this. I tried adding winbind seperator = \ in
>> smb.conf but still no luck,
>>
>>
>>
>> On 21 March 2011 23:17, Go Wow<gowows@xxxxxxxxx> wrote:
>>>
>>> Hi,
>>>
>>> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
>>> filter my web traffic. I know this is not a right place to post it, I
>>> guess squidguard dev team is busy enhancing the product. Looking for
>>> help from you guys.
>>>
>>> My squid3 is authenticating users properly and parsing all rules. The
>>> problem is with squidguard which doesn't seem to filter out users.
>>> below is my squidguard config.
>>>
>>>
>>> dbhome /usr/local/squidGuard/db
>>> logdir /usr/local/squidGuard/log
>>> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com"
>>> ldapbindpass secretpass
>>> ldapcachetime 300
>>> ldapprotover 3
>>>
>>>
>>> src Allowed_Top_Mgmt {
>>> ldapusersearch
>>>
>>> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
>>> }
>>>
>>> dest ads {
>>> domainlist ads/domains
>>> urllist ads/urls
>>> redirect http://192.168.100.195/blocked.html
>>> }
>>> acl {
>>> Allowed-Top-Mgmt {
>>> pass !ads all
>>> redirect http://192.168.100.195/blocked.html
>>> }
>>> default {
>>> pass none
>>> redirect http://192.168.100.195/blocked.html
>>> }
>>> }
>>>
>>> My squidguard logs have these messages.
>>>
>>>
>>> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
>>> (params: dc=domain,dc=com, 2,
>>>
>>> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
>>> Accounts,dc=domain,dc=com)), sAMAccountName)
>>> [30393] Added LDAP source: domain%5cpeter.hank
>>> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>>>
>>> peter.hank user is unable to access anything or any other user from
>>> other group is not able to access anything. Peter.hank is a member of
>>> the above defined group, I have cross checked it.
>>>
>>>
>>> Please do give me some ways to test ldapuser. Some pointers would even
>>> work.
>>>
>>> Thanks
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.11
> Beta testers wanted for 3.2.0.5
>
