Re: [squid-users] Re: SquidGuard - Ldap doesnt filter users

From: Go Wow <gowows_at_gmail.com>
Date: Wed, 23 Mar 2011 17:27:10 +0400

Thanks for your help

We cannot do anything on squid side to fix this, like while passing
the username to squidguard, we strips the " domain\ " part and pass
only username.

On 23 March 2011 15:42, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 23/03/11 22:25, Go Wow wrote:
>>
>> Hi,
>>
>>  I have observed that squid3 when used with ntlm, passes the AD
>> usersname to squidguard in the below format
>>
>>  DOMAIN%5cUSERNAME
>>
>> %5c represents " \ ". How do we overcome this, because squidguard is
>> trying to find username with the above format and off course its
>> failing.
>>
>
> Yes, usernames are URL-encoded to avoid binary and other reserved characters
> like escape-\ which people seem to like putting in there.
>
> You need to contact the squidGuard people.
>
> Amos
>
>>
>> Any workaround for this. I tried adding winbind seperator = \ in
>> smb.conf but still no luck,
>>
>>
>>
>> On 21 March 2011 23:17, Go Wow<gowows_at_gmail.com>  wrote:
>>>
>>> Hi,
>>>
>>> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to
>>> filter my web traffic. I know this is not a right place to post it, I
>>> guess squidguard dev team is busy enhancing the product. Looking for
>>> help from you guys.
>>>
>>> My squid3 is authenticating users properly and parsing all rules. The
>>> problem is with squidguard which doesn't seem to filter out users.
>>> below is my squidguard config.
>>>
>>>
>>> dbhome /usr/local/squidGuard/db
>>> logdir /usr/local/squidGuard/log
>>> ldapbinddn      "cn=Ldap,cn=Users,dc=domain,dc=com"
>>> ldapbindpass    secretpass
>>> ldapcachetime   300
>>> ldapprotover    3
>>>
>>>
>>> src Allowed_Top_Mgmt {
>>>         ldapusersearch
>>>
>>> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))"
>>> }
>>>
>>> dest ads {
>>>    domainlist  ads/domains
>>>    urllist     ads/urls
>>>    redirect http://192.168.100.195/blocked.html
>>> }
>>> acl {
>>>    Allowed-Top-Mgmt {
>>>        pass !ads all
>>>        redirect http://192.168.100.195/blocked.html
>>>        }
>>>    default {
>>>        pass none
>>>        redirect http://192.168.100.195/blocked.html
>>>        }
>>> }
>>>
>>> My squidguard logs have these messages.
>>>
>>>
>>> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter
>>> (params: dc=domain,dc=com, 2,
>>>
>>> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group
>>> Accounts,dc=domain,dc=com)), sAMAccountName)
>>> [30393] Added LDAP source: domain%5cpeter.hank
>>> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank
>>>
>>> peter.hank user is unable to access anything or any other user from
>>> other group is not able to access anything. Peter.hank is a member of
>>> the above defined group, I have cross checked it.
>>>
>>>
>>> Please do give me some ways to test ldapuser. Some pointers would even
>>> work.
>>>
>>> Thanks
>>>
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.11
>  Beta testers wanted for 3.2.0.5
>
Received on Wed Mar 23 2011 - 13:27:18 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT