Hi there,
I've just setup a squid-box with an Active Directory authentication. I have :
- Windows 2003 R2 with Active Directory
- CentOS 5.4 with
-- Squid 2.6
-- SquidGuard 1.3.1 patched with LDAP support
Here's my configurations :
squid.conf :
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hour
acl auth proxy_auth REQUIRED
visible_hostname squid
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl LAB src 10.30.64.0/24
acl LAN src 192.168.2.0/23
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow LAB auth
http_access allow LAN auth
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
# SquidGuard directives
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
url_rewrite_children 10
Squidguard.conf :
dbhome /var/lib/squidguard
logdir /var/log/squidguard
ldapbinddn cn=Administrateur,cn=Users,dc=lab,dc=local
ldapbindpass password
src user_full {
ldapusersearch ldap://10.30.64.201/CN=Users,DC=lab,DC=local?sAMAccountName?sub?(&(objectClass=Person)(sAMAccountName=%s))
}
src user_restreint {
ldapusersearch ldap://10.30.64.201/OU=Utilisateurs,OU=LAB,DC=lab,DC=local?sAMAccountName?sub?(&(objectClass=Person)(sAMAccountName=%s)
}
destination whitelist {
domainlist whitelist.destdomainlist
}
acl {
user_full {
pass all
}
user_restreint {
pass whitelist none
redirect
http://10.30.64.40/cgi-bin/squidGuar...lass=%t&url=%u
}
default {
pass none
redirect
http://10.30.64.40/cgi-bin/squidGuar...lass=%t&url=%u
log default.log
}
}
My Active Directory structure :
- lab.local (DC root)
-- Users (simple group)
--- Administrateur (user)
-- LAB (UO)
--- Utilisateurs (UO)
---- jdoe (sAMAccountName)
From the DC machine logged with administrateur, I can surf all over the web as it's definied in the squidguard.conf.
From a XP machine logged with jdoe, whatever the http request I send, I'm always blocked qith the proper CGI. In the squidguard.log I have that :
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] Added LDAP source: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] (squidGuard): ldap_search_ext_s failed: Bad search filter (params: OU=Utilisateurs,OU=LAB,DC=lab,DC=local, 2, (&(objectClass=Person)(sAMAccountName=jdoe), sAMAccountName)
2011-01-11 23:14:29 [32285] Added LDAP source: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
I can't see what's the problem with the LDAP request, anyone could help me ?
Regards