On 03/21/2011 01:17 PM, Go Wow wrote:
> Hi,
>
> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
> filter my web traffic. I know this is not a right place to post it, I
> guess squidguard dev team is busy enhancing the product. Looking for
> help from you guys.
>
> My squid3 is authenticating users properly and parsing all rules. The
> problem is with squidguard which doesn't seem to filter out users.
> below is my squidguard config.
>
>
> dbhome /usr/local/squidGuard/db
> logdir /usr/local/squidGuard/log
> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com"
> ldapbindpass secretpass
> ldapcachetime 300
> ldapprotover 3
>
>
> src Allowed_Top_Mgmt {
> ldapusersearch
> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
> }
>
> dest ads {
> domainlist ads/domains
> urllist ads/urls
> redirect http://192.168.100.195/blocked.html
> }
> acl {
> Allowed-Top-Mgmt {
> pass !ads all
> redirect http://192.168.100.195/blocked.html
> }
> default {
> pass none
> redirect http://192.168.100.195/blocked.html
> }
> }
>
> My squidguard logs have these messages.
>
>
> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
> (params: dc=domain,dc=com, 2,
> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
> Accounts,dc=domain,dc=com)), sAMAccountName)
> [30393] Added LDAP source: domain%5cpeter.hank
> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>
> peter.hank user is unable to access anything or any other user from
> other group is not able to access anything. Peter.hank is a member of
> the above defined group, I have cross checked it.
I think the problem is with the filter, squid is passing the user as
domain\username which
is not recognized by squidguard as a valid user, you need to apply the
patch suggested by
Mathieu Parent , search the squidguard list archive for the topic:
[Squidguard] Fwd: Stripping NT domain name or Kerberos Realm from user name
For more info ask in the squidguard mailling list.
Best regards.
>
> Please do give me some ways to test ldapuser. Some pointers would even work.
>
> Thanks
--
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jmedina@xxxxxxxxxxxxxxx
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
Attachment:
signature.asc
Description: OpenPGP digital signature
