LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   SquidGuard - Ldap doesnt filter users (http://www.linuxquestions.org/questions/linux-server-73/squidguard-ldap-doesnt-filter-users-870044/)

kool_kid 03-21-2011 03:09 PM

SquidGuard - Ldap doesnt filter users
 
Hi,

I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to filter my web traffic.

My squid3 is authenticating users properly and parsing all rules. The problem is with squidguard which doesn't seem to filter out users. below is my squidguard config.


Code:

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
ldapbinddn      "cn=Ldap,cn=Users,dc=domain,dc=com"
ldapbindpass    secretpass
ldapcachetime  300
ldapprotover    3


src Allowed_Top_Mgmt {
        ldapusersearch  "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
}

dest ads {
    domainlist  ads/domains
    urllist    ads/urls
    redirect http://192.168.100.195/blocked.html
}
acl {
    Allowed-Top-Mgmt {
        pass !ads all
        redirect http://192.168.100.195/blocked.html
        }
    default {
        pass none
        redirect http://192.168.100.195/blocked.html
        }
}

My squidguard logs have these messages.

Code:

  [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter (params: dc=domain,dc=com, 2, (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group Accounts,dc=domain,dc=com)), sAMAccountName)
2011-03-21 18:44:51 [30393] Added LDAP source: domain%5cpeter.hank
2011-03-21 18:44:51 [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank

peter.hank user is unable to access anything or any other user from other group is not able to access anything. Peter.hank is a member of the above defined group, I have cross checked it.
Please do give me some ways to test ldapuser. Some pointers would even work.

Thanks

kool_kid 03-23-2011 03:21 PM

This was happening because squidGuard was parsing my login ID as DOMAIN%5cUSERNAME. Yeah, "\" was converted into %5c. With this format ldap was unable to search users and hence apply default acl for all users.


I applied this patch by Mat (Thanks mate) and recompiled squidGuard and added 2 lines (mentioned below) in squidGuard.conf after recompilation.

http://www.shalla.de/mailman/private...er/001896.html

stripntdomain true
striprealm true

Zetec 03-23-2011 04:08 PM

That's a nice find. I always found squid with LDAP a little funny. May have to have another go at it. :D

kool_kid 03-23-2011 04:25 PM

I was on a verge to ditch it as well lol. But all is good, I always have a soft corner for squid and squidguard :)


All times are GMT -5. The time now is 03:09 AM.