Hi there,

I've just setup a squid-box with an Active Directory authentication. I have :
- Windows 2003 R2 with Active Directory
- CentOS 5.4 with
-- Squid 2.6
-- SquidGuard 1.3.1 patched with LDAP support

Here's my configurations :

squid.conf :

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hour

acl auth proxy_auth REQUIRED

visible_hostname squid
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl LAB src 10.30.64.0/24
acl LAN src 192.168.2.0/23
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow LAB auth
http_access allow LAN auth
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
# SquidGuard directives
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
url_rewrite_children 10


Squidguard.conf :

dbhome /var/lib/squidguard
logdir /var/log/squidguard

ldapbinddn cn=Administrateur,cn=Users,dc=lab,dc=local
ldapbindpass password

src user_full {
ldapusersearch ldap://10.30.64.201/CN=Users,DC=lab,DC=local?sAMAccountName?sub?(&(objectClass=Person)(sAMAccountName=%s))
}

src user_restreint {
ldapusersearch ldap://10.30.64.201/OU=Utilisateurs,OU=LAB,DC=lab,DC=local?sAMAccountName?sub?(&(objectClass=Person)(sAMAccountName=%s)
}

destination whitelist {
domainlist whitelist.destdomainlist
}

acl {
user_full {
pass all
}
user_restreint {
pass whitelist none
redirect http://10.30.64.40/cgi-bin/squidGuar...lass=%t&url=%u
}
default {
pass none
redirect http://10.30.64.40/cgi-bin/squidGuar...lass=%t&url=%u
log default.log
}
}

My Active Directory structure :
- lab.local (DC root)
-- Users (simple group)
--- Administrateur (user)
-- LAB (UO)
--- Utilisateurs (UO)
---- jdoe (sAMAccountName)

From the DC machine logged with administrateur, I can surf all over the web as it's definied in the squidguard.conf.
From a XP machine logged with jdoe, whatever the http request I send, I'm always blocked qith the proper CGI. In the squidguard.log I have that :

2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] Added LDAP source: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] (squidGuard): ldap_search_ext_s failed: Bad search filter (params: OU=Utilisateurs,OU=LAB,DC=lab,DC=local, 2, (&(objectClass=Person)(sAMAccountName=jdoe), sAMAccountName)
2011-01-11 23:14:29 [32285] Added LDAP source: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe
2011-01-11 23:14:29 [32285] debug : sgFindUser called with: jdoe

I can't see what's the problem with the LDAP request, anyone could help me ?

Regards

Did you manage to work this out?
I have the same problem .
Thanks

Hi zsoltrenyi,

Yes I made it work. I've juste used a new syntaxe in the squidguard.conf :

src user_full {
ldapusersearch ldap://1.1.1.1:3268/dc=lab,dc=local?sAMAccountName?sub?(&(memberof=CN=internet_full%2cCN=Users%2cDC=lab%2cDC=local)(sAMA ccountName=%s))


With the Active Directory structure like the Folowing :

- DC = lab.local
-- CN = Users
--- CN = internet_full (group)

For binaries version :

Squid : squid-2.6.STABLE21-6.el5
SquidGuard : SquidGuard: 1.3.1 Berkeley DB 4.6.21: (September 27, 2007) WITHOUT LDAP PATCH !
Samba : samba-3.0.33-3.29.el5_5.1

Hope this will help.

Regards,
Pierre

I'm also configuring squidguard to use ldapsearch but I'm having problems with squid <-> squidguard.
How did you activate the debug log on config?
I just get:

2011-03-17 15:04:18 [5163] INFO: squidGuard 1.5-alpha started (1300374258.106)
2011-03-17 15:04:18 [5163] INFO: recalculating alarm in 5142 seconds
2011-03-17 15:04:18 [5163] INFO: squidGuard ready for requests (1300374258.123)

Thanks!

Still no debug but for the record, permissions were wrong on the log file of squidGuard so I did a:
So now I get output log from squidGuard when it's started from squid.