[squid-users] Re: SquidGuard - Ldap doesnt filter users

From: Go Wow <gowows_at_gmail.com>
Date: Wed, 23 Mar 2011 13:25:45 +0400

Hi,

 I have observed that squid3 when used with ntlm, passes the AD
usersname to squidguard in the below format

 DOMAIN%5cUSERNAME

%5c represents " \ ". How do we overcome this, because squidguard is
trying to find username with the above format and off course its
failing.

Any workaround for this. I tried adding winbind seperator = \ in
smb.conf but still no luck,

On 21 March 2011 23:17, Go Wow <gowows_at_gmail.com> wrote:
> Hi,
>
> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
> filter my web traffic. I know this is not a right place to post it, I
> guess squidguard dev team is busy enhancing the product. Looking for
> help from you guys.
>
> My squid3 is authenticating users properly and parsing all rules. The
> problem is with squidguard which doesn't seem to filter out users.
> below is my squidguard config.
>
>
> dbhome /usr/local/squidGuard/db
> logdir /usr/local/squidGuard/log
> ldapbinddn      "cn=Ldap,cn=Users,dc=domain,dc=com"
> ldapbindpass    secretpass
> ldapcachetime   300
> ldapprotover    3
>
>
> src Allowed_Top_Mgmt {
>         ldapusersearch
> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
> }
>
> dest ads {
>    domainlist  ads/domains
>    urllist     ads/urls
>    redirect http://192.168.100.195/blocked.html
> }
> acl {
>    Allowed-Top-Mgmt {
>        pass !ads all
>        redirect http://192.168.100.195/blocked.html
>        }
>    default {
>        pass none
>        redirect http://192.168.100.195/blocked.html
>        }
> }
>
> My squidguard logs have these messages.
>
>
> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
> (params: dc=domain,dc=com, 2,
> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
> Accounts,dc=domain,dc=com)), sAMAccountName)
> [30393] Added LDAP source: domain%5cpeter.hank
> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>
> peter.hank user is unable to access anything or any other user from
> other group is not able to access anything. Peter.hank is a member of
> the above defined group, I have cross checked it.
>
>
> Please do give me some ways to test ldapuser. Some pointers would even work.
>
> Thanks
>
Received on Wed Mar 23 2011 - 09:25:59 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT