2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN_at_iowa.gov>:
> I have squid running with SquidGuard using Active Directory for LDAP authentication. The problem I am seeing is the use of the AD attribute sAMAccountName for both userName and computerName. I thought I had a fix by adding sAMAccountType to my following squid_ldap_auth helper, but I am still seeing numerous computerNames rather than userNames being logged. The REAL problem is ACL matching, as I never know what I will be receiving from my users and do not wish to include computerName in my userlists. I have tested adding a couple of computerNames to the userlist which resolves blocked access messages for users with specialized access requirements.
>
> Here is my current LDAP helper string:
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W "/squidGuard/filename" -f "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306368)))" -u sAMAccountName -P -v3 -Hldap://domain.com
>
> I have been searching for a solution to this problem for more than a week, but have been unable to find one that works in my environment.
>
> -Dustyn
If you're using AD anyhow then why aren't you using kerberos (or
NTLMv2 [not safe anymore]) authentication? Then you generally get the
username, though I think I also by us seen computer names in the
username field which I think happens when there is a system process
trying to access the web for instance for updates....
Regards,
Eli
Received on Thu May 24 2012 - 07:27:00 MDT
This archive was generated by hypermail 2.2.0 : Thu May 24 2012 - 12:00:05 MDT