Le 24/10/2015 05:44, Amos Jeffries a écrit :
On 24/10/2015 1:29 p.m., David Touzeau wrote:
Hi all.
I'm testing squid 4.x with Active Directory connection.
When there are spaces in logged accounts eg : "Jhon Rambo" squid use
only the last string in logon user "Rambo".
This corrupted account is used in all ACLS and events too and all acls
matches Rambo and not "Jhon Rambo"
This behavior can be replicated in Squid 3.5x branchs too and be
replicated in both LDAP/NTLM methods.
* * It should be a security issue and an issue according governments
laws * *
1) If we create acls for the account "Rambo" that is - an another person
- of "Jhon Rambo" , Jhon Rambo aka "Rambo" for squid use the same ACLs
as "Rambo" account.
2) In Europe we must keep Squid logs for the police during 1 year
according Justice needs. This corruption break logs validity according
Squid did not reflect the real connected username.
How to fix it ?
Start with whats in your squid.con settings. proxy_auth values, helper
settings.
Then go on to what the helper protocol is transmitting. both request and
reply lines from the auth and external ACL helpers.
Whitespace in user labels is not always dealt with nicely.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Amos, Here settings in squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=5 idle=3
auth_param ntlm keep_alive on
authenticate_ttl 14400 seconds
authenticate_cache_garbage_interval 18000 seconds
authenticate_ip_ttl 14400 seconds
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10 startup=5 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 4 hours
here a debug log with an account logged as "david touzeau"
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384)
helperStatefulDispatch: helperStatefulDispatch: Request sent to
ntlmauthenticator #Hlpr65, 260 bytes
2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000)
helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from
ntlmauthenticator #Hlpr65
2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171)
releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply:
Successfully validated user via NTLM. Username 'touzeau'
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
