LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-21-2011, 02:09 PM   #1
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Rep: Reputation: 30
SquidGuard - Ldap doesnt filter users


Hi,

I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to filter my web traffic.

My squid3 is authenticating users properly and parsing all rules. The problem is with squidguard which doesn't seem to filter out users. below is my squidguard config.


Code:
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
ldapbinddn      "cn=Ldap,cn=Users,dc=domain,dc=com"
ldapbindpass    secretpass
ldapcachetime   300
ldapprotover    3


src Allowed_Top_Mgmt {
         ldapusersearch  "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
}

dest ads {
    domainlist  ads/domains
    urllist     ads/urls
    redirect http://192.168.100.195/blocked.html
}
acl {
    Allowed-Top-Mgmt {
        pass !ads all
        redirect http://192.168.100.195/blocked.html
        }
    default {
        pass none
        redirect http://192.168.100.195/blocked.html
        }
}
My squidguard logs have these messages.

Code:
   [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter (params: dc=domain,dc=com, 2, (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group Accounts,dc=domain,dc=com)), sAMAccountName)
2011-03-21 18:44:51 [30393] Added LDAP source: domain%5cpeter.hank
2011-03-21 18:44:51 [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
peter.hank user is unable to access anything or any other user from other group is not able to access anything. Peter.hank is a member of the above defined group, I have cross checked it.
Please do give me some ways to test ldapuser. Some pointers would even work.

Thanks

Last edited by kool_kid; 03-23-2011 at 02:22 PM. Reason: SOLVED
 
Old 03-23-2011, 02:21 PM   #2
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
This was happening because squidGuard was parsing my login ID as DOMAIN%5cUSERNAME. Yeah, "\" was converted into %5c. With this format ldap was unable to search users and hence apply default acl for all users.


I applied this patch by Mat (Thanks mate) and recompiled squidGuard and added 2 lines (mentioned below) in squidGuard.conf after recompilation.

http://www.shalla.de/mailman/private...er/001896.html

stripntdomain true
striprealm true
 
Old 03-23-2011, 03:08 PM   #3
Zetec
Member
 
Registered: Jul 2006
Distribution: Debian, Ubuntu, W7, openSUSE, Centos
Posts: 152

Rep: Reputation: 25
That's a nice find. I always found squid with LDAP a little funny. May have to have another go at it.
 
Old 03-23-2011, 03:25 PM   #4
kool_kid
Member
 
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350

Original Poster
Rep: Reputation: 30
I was on a verge to ditch it as well lol. But all is good, I always have a soft corner for squid and squidguard
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SquidGuard & LDAP authentication problem Kr4z Linux - Networking 4 03-18-2011 02:53 PM
[SOLVED] SquidGuard LDAP authentication with Active Directory okcomputer44 Linux - Networking 2 11-14-2010 05:30 PM
Dansguardian/SquidGuard - Web Filter/ Squid metallica1973 Linux - Security 12 10-24-2009 04:03 PM
squidguard authen ldap problem? moochachiro Linux - Server 0 01-08-2008 10:53 PM
squid + ldap or squidguard + ldap or both ?? hackintosh Linux - Server 0 09-18-2007 04:36 AM


All times are GMT -5. The time now is 04:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration