I got this working with help of Mat. This link has the patch, all you need to do is apply it and recompile squidguard. http://www.shalla.de/mailman/private/squidguard/2010-December/001896.html Thanks for help people. 2011/3/23 Jorge Armando Medina <jmedina@xxxxxxxxxxxxxxx>: > On 03/21/2011 01:17 PM, Go Wow wrote: >> Hi, >> >> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to >> filter my web traffic. I know this is not a right place to post it, I >> guess squidguard dev team is busy enhancing the product. Looking for >> help from you guys. >> >> My squid3 is authenticating users properly and parsing all rules. The >> problem is with squidguard which doesn't seem to filter out users. >> below is my squidguard config. >> >> >> dbhome /usr/local/squidGuard/db >> logdir /usr/local/squidGuard/log >> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com" >> ldapbindpass secretpass >> ldapcachetime 300 >> ldapprotover 3 >> >> >> src Allowed_Top_Mgmt { >> ldapusersearch >> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))" >> } >> >> dest ads { >> domainlist ads/domains >> urllist ads/urls >> redirect http://192.168.100.195/blocked.html >> } >> acl { >> Allowed-Top-Mgmt { >> pass !ads all >> redirect http://192.168.100.195/blocked.html >> } >> default { >> pass none >> redirect http://192.168.100.195/blocked.html >> } >> } >> >> My squidguard logs have these messages. >> >> >> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter >> (params: dc=domain,dc=com, 2, >> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group >> Accounts,dc=domain,dc=com)), sAMAccountName) >> [30393] Added LDAP source: domain%5cpeter.hank >> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank >> >> peter.hank user is unable to access anything or any other user from >> other group is not able to access anything. Peter.hank is a member of >> the above defined group, I have cross checked it. > > I think the problem is with the filter, squid is passing the user as > domain\username which > is not recognized by squidguard as a valid user, you need to apply the > patch suggested by > Mathieu Parent , search the squidguard list archive for the topic: > [Squidguard] Fwd: Stripping NT domain name or Kerberos Realm from user name > > For more info ask in the squidguard mailling list. > > Best regards. >> >> Please do give me some ways to test ldapuser. Some pointers would even work. >> >> Thanks > > > -- > Jorge Armando Medina > Computación Gráfica de México > Web: http://www.e-compugraf.com > Tel: 55 51 40 72, Ext: 124 > Email: jmedina@xxxxxxxxxxxxxxx > GPG Key: 1024D/28E40632 2007-07-26 > GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 > > >
