2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN@xxxxxxxx>: > I have squid running with SquidGuard using Active Directory for LDAP authentication. The problem I am seeing is the use of the AD attribute sAMAccountName for both userName and computerName. I thought I had a fix by adding sAMAccountType to my following squid_ldap_auth helper, but I am still seeing numerous computerNames rather than userNames being logged. The REAL problem is ACL matching, as I never know what I will be receiving from my users and do not wish to include computerName in my userlists. I have tested adding a couple of computerNames to the userlist which resolves blocked access messages for users with specialized access requirements. > > Here is my current LDAP helper string: > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W "/squidGuard/filename" -f "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306368)))" -u sAMAccountName -P -v3 -Hldap://domain.com > > I have been searching for a solution to this problem for more than a week, but have been unable to find one that works in my environment. > > -Dustyn If you're using AD anyhow then why aren't you using kerberos (or NTLMv2 [not safe anymore]) authentication? Then you generally get the username, though I think I also by us seen computer names in the username field which I think happens when there is a system process trying to access the web for instance for updates.... Regards, Eli
