Re: [squid-users] SquidGuard - Ldap doesnt filter users from Jorge Armando Medina on 2011-03-23 (squid-users)

From: Jorge Armando Medina <jmedina_at_e-compugraf.com>
Date: Wed, 23 Mar 2011 12:42:11 -0600

On 03/21/2011 01:17 PM, Go Wow wrote:
> Hi,
>
> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
> filter my web traffic. I know this is not a right place to post it, I
> guess squidguard dev team is busy enhancing the product. Looking for
> help from you guys.
>
> My squid3 is authenticating users properly and parsing all rules. The
> problem is with squidguard which doesn't seem to filter out users.
> below is my squidguard config.
>
>
> dbhome /usr/local/squidGuard/db
> logdir /usr/local/squidGuard/log
> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com"
> ldapbindpass secretpass
> ldapcachetime 300
> ldapprotover 3
>
>
> src Allowed_Top_Mgmt {
> ldapusersearch
> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
> }
>
> dest ads {
> domainlist ads/domains
> urllist ads/urls
> redirect http://192.168.100.195/blocked.html
> }
> acl {
> Allowed-Top-Mgmt {
> pass !ads all
> redirect http://192.168.100.195/blocked.html
> }
> default {
> pass none
> redirect http://192.168.100.195/blocked.html
> }
> }
>
> My squidguard logs have these messages.
>
>
> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
> (params: dc=domain,dc=com, 2,
> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
> Accounts,dc=domain,dc=com)), sAMAccountName)
> [30393] Added LDAP source: domain%5cpeter.hank
> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>
> peter.hank user is unable to access anything or any other user from
> other group is not able to access anything. Peter.hank is a member of
> the above defined group, I have cross checked it.

I think the problem is with the filter, squid is passing the user as
domain\username which
is not recognized by squidguard as a valid user, you need to apply the
patch suggested by
Mathieu Parent , search the squidguard list archive for the topic:
[Squidguard] Fwd: Stripping NT domain name or Kerberos Realm from user name

For more info ask in the squidguard mailling list.

Best regards.
>
> Please do give me some ways to test ldapuser. Some pointers would even work.
>
> Thanks

-- 
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jmedina_at_e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632

application/pgp-signature attachment: OpenPGP digital signature

Received on Wed Mar 23 2011 - 18:42:02 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 24 2011 - 12:00:04 MDT