2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN@xxxxxxxx>: >> I have squid running with SquidGuard using Active Directory for LDAP \ >> authentication. The problem I am seeing is the use of the AD attribute \ >> sAMAccountName for both userName and computerName. I thought I had a fix by adding \ >> sAMAccountType to my following squid_ldap_auth helper, but I am still seeing \ >> numerous computerNames rather than userNames being logged. The REAL problem is ACL \ >> matching, as I never know what I will be receiving from my users and do not wish to \ >> include computerName in my userlists. Â I have tested adding a couple of \ >> computerNames to the userlist which resolves blocked access messages for users with \ >> specialized access requirements. >> Here is my current LDAP helper string: >> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b \ >> "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W \ >> "/squidGuard/filename" -f \ >> "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306368)))" -u \ >> sAMAccountName -P -v3 -Hldap://domain.com >> I have been searching for a solution to this problem for more than a week, but have \ >> been unable to find one that works in my environment. >> -Dustyn > If you're using AD anyhow then why aren't you using kerberos (or > NTLMv2 [not safe anymore]) authentication? Then you generally get the > username, though I think I also by us seen computer names in the > username field which I think happens when there is a system process > trying to access the web for instance for updates.... > > Regards, > Eli Hello Eli, I do also have Kerberos defined, see below for entries. I need help figuring out where the computerNames are coming from. As I mentioned before, I thought I had eliminated the computerNames by the squid_ldap_auth helper above. I have more than 400 users (and growing) and would like to keep their userNames only in the userlists. When the computerName is logged, the end user ends up using the default ACL which is more restrictive on outbound browsing, resulting in trouble tickets to fix the problem. auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth auth_param negotiate children 30 auth_param negotiate keep_alive on url_rewrite_program /squidGuard/redirector-id.pl url_rewrite_children 8 url_rewrite_concurrency 10 acl AUTH proxy_auth REQUIRED and here is the rest of my basic auth: auth_param basic children 15 auth_param basic realm SquidGuard Authentication auth_param basic credentialsttl 8 hours http_access allow localnet http_access allow AUTH Thank you, -Dustyn