How to dansguardian auth with ldap

marcelloc

Try user@ domain instead of cn=user,CN=domain

gdy1039

hi,glad to see your reply

I change dansguardian ldap like this

hostname:jian.com
domain:dc=jian,dc=com
username:squid@jian.com
password:Admin@8888
mask:User

run again

/usr/local/etc/dasr/local/www/dansguardian_ldap.php

it return

Content-type: text/html

Group : users
User list from LDAP is already the same as current group, no changes made

1:what does it mean?and how to correct
2:what is use for option "mask"?

gdy1039

if I delete all group in dansguardian,just left default
it return the same

Content-type: text/html

User list from LDAP is already the same as current group, no changes made

if I create a dansguardian group name "cccc",that's a group not in AD.
and check the ldap what I create before in group "cccc"
run the dansguardian_ldap.php again.
but is still said "same as current group"
I seem's a bug?

gdy1039

when I update the ldap like

hostname:jian.com
domain:dc=jian,dc=com
username:squid@jian.com
password:Admin@8888
mask:User

and then I create a global group name "g1" instead of use build in group "users" in AD
then create group "g1" in dansguardian
it work!
the user list is update.

thanks marcelloc!

gdy1039

I still get a problem
if i access the squid port it will prompt login and password,if correct pass
if I access the dansguardian,explorer direct prompt "cache access deny,until you have authenticated yourself. "

who know how to correct this?

marcelloc

@gdy1039:

who know how to correct this?

Configure dansguardian auth to pass to squid on general tab -> auth plugin.

gdy1039

I found the problem
infact my test should be

1:if i access the squid port3128 it will prompt login and password,if correct pass

2:if i access the dansguardian port8080 it will prompt login and password,if correct pass

3:if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

and other thing.

1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?
2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

Dear marcelloc, are you here? ;D

marcelloc

@gdy1039:

if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

@gdy1039:

1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?

Yes

@gdy1039:

2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

what update frequency did you configured for ldap fetch?

gdy1039

@marcelloc:

@gdy1039:

if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

In that case,the topology is: web request –> nat(80 redirect to 8080) --> dansguardian(8080) -->squid(3128) --> pfsense nat --> internet
so I have not set the transparent proxy in squid.
I make this config is want to zero config in client.

marcelloc

web request –> nat(80 redirect to 8080) = transparent proxy