RE: [squid-users] comperterName logged for sAMAccountName

From: Diersen, Dustyn \[DAS\] <DUSTYN.DIERSEN_at_iowa.gov>
Date: Thu, 24 May 2012 09:27:53 -0500

2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN_at_iowa.gov>:
>> I have squid running with SquidGuard using Active Directory for LDAP \
>> authentication. The problem I am seeing is the use of the AD attribute \
>> sAMAccountName for both userName and computerName. I thought I had a fix by adding \
>> sAMAccountType to my following squid_ldap_auth helper, but I am still seeing \
>> numerous computerNames rather than userNames being logged. The REAL problem is ACL \
>> matching, as I never know what I will be receiving from my users and do not wish to \
>> include computerName in my userlists. Â I have tested adding a couple of \
>> computerNames to the userlist which resolves blocked access messages for users with \
>> specialized access requirements.
>> Here is my current LDAP helper string:
>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b \
>> "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W \
>> "/squidGuard/filename" -f \
>> "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306368)))" -u \
>> sAMAccountName -P -v3 -Hldap://domain.com
>> I have been searching for a solution to this problem for more than a week, but have \
>> been unable to find one that works in my environment.
>> -Dustyn

> If you're using AD anyhow then why aren't you using kerberos (or
> NTLMv2 [not safe anymore]) authentication? Then you generally get the
> username, though I think I also by us seen computer names in the
> username field which I think happens when there is a system process
> trying to access the web for instance for updates....
>
> Regards,
> Eli

Hello Eli,
I do also have Kerberos defined, see below for entries. I need help figuring out where the computerNames are coming from. As I mentioned before, I thought I had eliminated the computerNames by the squid_ldap_auth helper above. I have more than 400 users (and growing) and would like to keep their userNames only in the userlists. When the computerName is logged, the end user ends up using the default ACL which is more restrictive on outbound browsing, resulting in trouble tickets to fix the problem.

auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
auth_param negotiate children 30
auth_param negotiate keep_alive on
url_rewrite_program /squidGuard/redirector-id.pl
url_rewrite_children 8
url_rewrite_concurrency 10
acl AUTH proxy_auth REQUIRED

and here is the rest of my basic auth:
auth_param basic children 15
auth_param basic realm SquidGuard Authentication
auth_param basic credentialsttl 8 hours
http_access allow localnet
http_access allow AUTH

Thank you,
-Dustyn
Received on Thu May 24 2012 - 14:28:02 MDT

This archive was generated by hypermail 2.2.0 : Sat May 26 2012 - 12:00:04 MDT