Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to dansguardian auth with ldap

    Scheduled Pinned Locked Moved pfSense Packages
    15 Posts 3 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gdy1039
      last edited by

      @SGTR:

      Hi,

      You should look http://forum.pfsense.org/index.php/topic,58700.0.html it will give you an idea.

      Regards,
      SGTR

      Glad to see your reply
      I saw that tips
      but,I try to do like that tip  for a month of Sundays., but not success.
      I found now squid have integrate some many auth plugin
      for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
      now I can auth though basic_ldap_auth in squid, it's very easy.
      just one line auth config, and 4 line relate config.

      so I can't understand that tips still use so many many third part lib,and so many many config

      1 Reply Last reply Reply Quote 0
      • G
        gdy1039
        last edited by

        I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD

        I know how to use basic auth in squid,but don't know how to wok in dansguardian.
        I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
        then run the command

        php /usr/local/www/dansguardian_ldap.php
        

        it return a error

        Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65

        1 Reply Last reply Reply Quote 0
        • G
          gdy1039
          last edited by

          I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD

          when client access web, input AD login and password correct, then they can pass.

          auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
          auth_param basic children 5
          auth_param basic realm jian.com
          auth_param basic credentialsttl 60 minute

          acl ldap-auth proxy_auth REQUIRED

          http_access allow ldap-auth
          http_access allow localhost

          And finally deny all other access to this proxy

          http_access deny all

          and then I chose "Proxy-basic" authentication in dansguardian.
          refer  tips stip step 18 to 21,
          http://forum.pfsense.org/index.php/topic,58700.15.html
          then the add a ldap like this

          hostname=jian.com
          dc=jian,dc=com
          cn=squid,ou=Users
          password=Admin@8888
          mask=User

          the squid account is ou=users,group=users(bulid in)

          make a group in dansguardian name "users"

          after I do this,the users group won't update the user's list

          run the command

          php /usr/local/www/dansguardian_ldap.php
          

          it return a error

          Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65
          

          if who know why please tell me,thanks.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Try user@ domain instead of cn=user,CN=domain

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • G
              gdy1039
              last edited by

              hi,glad to see your reply

              I change dansguardian ldap like this

              hostname:jian.com
              domain:dc=jian,dc=com
              username:squid@jian.com
              password:Admin@8888
              mask:User

              run again

              /usr/local/etc/dasr/local/www/dansguardian_ldap.php

              it return

              Content-type: text/html

              Group : users
              User list from LDAP is already the same as current group, no changes made

              1:what does it mean?and how to correct
              2:what is use for option "mask"?

              1 Reply Last reply Reply Quote 0
              • G
                gdy1039
                last edited by

                if I delete all group in dansguardian,just left default
                it return the same

                Content-type: text/html

                User list from LDAP is already the same as current group, no changes made

                if I create a dansguardian group name "cccc",that's a group not in AD.
                and check the ldap what I create before in group "cccc"
                run the dansguardian_ldap.php again.
                but is still said "same as current group"
                I seem's a bug?

                1 Reply Last reply Reply Quote 0
                • G
                  gdy1039
                  last edited by

                  when I update the ldap like

                  hostname:jian.com
                  domain:dc=jian,dc=com
                  username:squid@jian.com
                  password:Admin@8888
                  mask:User

                  and then I create a global group name "g1" instead of use build in group "users" in AD
                  then create group "g1" in dansguardian
                  it work!
                  the user list is update.

                  thanks marcelloc!

                  1 Reply Last reply Reply Quote 0
                  • G
                    gdy1039
                    last edited by

                    I still get a problem
                    if i access the squid port it will prompt login and password,if correct pass
                    if I access the dansguardian,explorer direct prompt "cache access deny,until you have authenticated yourself. "

                    who know how to correct this?

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @gdy1039:

                      who know how to correct this?

                      Configure dansguardian auth to pass to squid on general tab -> auth plugin.

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • G
                        gdy1039
                        last edited by

                        I found the problem
                        infact my test should be

                        1:if i access the squid port3128 it will prompt login and password,if correct pass

                        2:if i access the dansguardian port8080 it will prompt login and password,if correct pass

                        3:if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

                        I am trying correct this.

                        and other thing.

                        1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?
                        2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

                        Dear marcelloc, are you here? ;D

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @gdy1039:

                          if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

                          I am trying correct this.

                          Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

                          @gdy1039:

                          1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?

                          Yes

                          @gdy1039:

                          2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

                          what update frequency did you configured for ldap fetch?

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • G
                            gdy1039
                            last edited by

                            @marcelloc:

                            @gdy1039:

                            if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

                            I am trying correct this.

                            Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

                            In that case,the topology is: web request –> nat(80 redirect to 8080) --> dansguardian(8080) -->squid(3128) --> pfsense nat --> internet
                            so I have not set the transparent proxy in squid.
                            I make this config is want to zero config in client.

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              web request –> nat(80 redirect to 8080) = transparent proxy

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.