Re: [squid-users] Re: SquidGuard - Ldap doesnt filter users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Mar 2011 00:42:16 +1300

On 23/03/11 22:25, Go Wow wrote:
> Hi,
>
> I have observed that squid3 when used with ntlm, passes the AD
> usersname to squidguard in the below format
>
> DOMAIN%5cUSERNAME
>
> %5c represents " \ ". How do we overcome this, because squidguard is
> trying to find username with the above format and off course its
> failing.
>

Yes, usernames are URL-encoded to avoid binary and other reserved
characters like escape-\ which people seem to like putting in there.

You need to contact the squidGuard people.

Amos

>
> Any workaround for this. I tried adding winbind seperator = \ in
> smb.conf but still no luck,
>
>
>
> On 21 March 2011 23:17, Go Wow<gowows_at_gmail.com> wrote:
>> Hi,
>>
>> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
>> filter my web traffic. I know this is not a right place to post it, I
>> guess squidguard dev team is busy enhancing the product. Looking for
>> help from you guys.
>>
>> My squid3 is authenticating users properly and parsing all rules. The
>> problem is with squidguard which doesn't seem to filter out users.
>> below is my squidguard config.
>>
>>
>> dbhome /usr/local/squidGuard/db
>> logdir /usr/local/squidGuard/log
>> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com"
>> ldapbindpass secretpass
>> ldapcachetime 300
>> ldapprotover 3
>>
>>
>> src Allowed_Top_Mgmt {
>> ldapusersearch
>> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
>> }
>>
>> dest ads {
>> domainlist ads/domains
>> urllist ads/urls
>> redirect http://192.168.100.195/blocked.html
>> }
>> acl {
>> Allowed-Top-Mgmt {
>> pass !ads all
>> redirect http://192.168.100.195/blocked.html
>> }
>> default {
>> pass none
>> redirect http://192.168.100.195/blocked.html
>> }
>> }
>>
>> My squidguard logs have these messages.
>>
>>
>> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
>> (params: dc=domain,dc=com, 2,
>> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
>> Accounts,dc=domain,dc=com)), sAMAccountName)
>> [30393] Added LDAP source: domain%5cpeter.hank
>> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>>
>> peter.hank user is unable to access anything or any other user from
>> other group is not able to access anything. Peter.hank is a member of
>> the above defined group, I have cross checked it.
>>
>>
>> Please do give me some ways to test ldapuser. Some pointers would even work.
>>
>> Thanks
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Wed Mar 23 2011 - 11:42:26 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT