Squid + SquidGuard + AD

nislink

Sorry you are ahead of me at this point so I won't be of much help right now. I'm still in the testing phases of squid2, and haven't tried LDAP yet. I am wondering though, have you tested white-listing via the Access Control tab? I have a customer that wants to block everything, which is easy enough by setting everything to deny. I know, however, that they will eventually start wanting to allow a few sites here and there for work related purposes. Then, they will want LDAP setup so they can whitelist sites for managers and executives only (IP based won't work as they are on a TERM server). I am trying to stay ahead of the game so when I implement this I know everything will work as expected, however I can't get my test sites to load after they have been blocked by category (only the favicon comes through after white-listing). The categories and websites I tried were [Finance Insurance: esurance.com] and [webmail: hotmail.com]. Just interested in knowing if it's a setup issue, or a problem with Squid.

Second question, how did your Squid 3 testing go? I downloaded the newest versions and the services did not want to start. Didn't spend too much time on this though as I didn't really want to implement a beta package into production anyway.

As for your question I will be testing the LDAP setup in my lab this week, so at the very least I will be able to tell if I get the same results as you. I opened up a thread a week or two ago for my questions, but no replies yet :-( .  Good luck on getting this worked out! I will be posting back my LDAP results at some point this week.

lgcosta

Try use de Catalog Global port from AD:

Referrall: http://www.squidguard.org/Doc/ldap-ad-tips.html

hans2k6

Hi,,
thx for your answer.

AD is not working. But anyway.

@nislink: you have to use squidguard for whitelisting. It is working fine.

lgcosta

First of all, I want to report that I found a bug in the squidguard
binary, which generates error in queries.

To do this, update the package failover by typing in console pfsense
or Diagnostics> command prompt, these two commands in sequence:

pkg_delete squidGuard-1.4_4
pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz

Pay attention only to architecture cpu you use and select the package
corrected as the architecture:

http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz

Thus, the queries will not have more problems.

hans2k6

Hi man!

Thx! I will test it!

rgds

michlsuser

@hans2k6:

Hi all,

after one week of configuration and googling and reading n tutorials I decided to annoy you :P.

What do I want?
A proxy with different access groups managed by Active Directory.

Where is my problem?
As long as I'm letting LDAP off in SquidGuard it's working fine.
My groups are filtered by ip (just for testing to see if squidGuard is working).

I also tested squid alone - to check AD. And it's working.
When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.

The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.

Even when I setup everything to deny anything it is completely open.

can you maybe help me?

my ldap search string in squid guard for group acl is:

ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))

on general tab it's:
cn=administrator,cn=Users,dc=mydomain,dc=local
Strip Kerberos Realm - enabled
Strip NT domain - enabled

Common ACL is:
whitelist !all

Now I have squid 2 and squid guard throw the packages menu installed.

I also reinstalled pfsense and tried the virtual alliance as well as squid3.

Maybe you can help me.

Many thanks + sorry for my englisch

Having the same problem. Is there already a working solution?

michlsuser

@michlsuser:

@hans2k6:

Hi all,

after one week of configuration and googling and reading n tutorials I decided to annoy you :P.

What do I want?
A proxy with different access groups managed by Active Directory.

Where is my problem?
As long as I'm letting LDAP off in SquidGuard it's working fine.
My groups are filtered by ip (just for testing to see if squidGuard is working).

I also tested squid alone - to check AD. And it's working.
When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.

The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.

Even when I setup everything to deny anything it is completely open.

can you maybe help me?

my ldap search string in squid guard for group acl is:

ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))

on general tab it's:
cn=administrator,cn=Users,dc=mydomain,dc=local
Strip Kerberos Realm - enabled
Strip NT domain - enabled

Common ACL is:
whitelist !all

Now I have squid 2 and squid guard throw the packages menu installed.

I also reinstalled pfsense and tried the virtual alliance as well as squid3.

Maybe you can help me.

Many thanks + sorry for my englisch

Having the same problem. Is there already a working solution?

Sorry, my fault, now it works. thank you

michlsuser

@Luiz:

First of all, I want to report that I found a bug in the squidguard
binary, which generates error in queries.

To do this, update the package failover by typing in console pfsense
or Diagnostics> command prompt, these two commands in sequence:

pkg_delete squidGuard-1.4_4
pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz

Pay attention only to architecture cpu you use and select the package
corrected as the architecture:

http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz

Thus, the queries will not have more problems.

I just tried to use your updated package. Unfortunatelly I was told, that there are some files missing on the server… (pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz)

Could you upload the missing files?

akha666

plz help
after executing command```
pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz

I got```
pkg_add: Command not found.

try with
pkg add  http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
Fetching squidGuard-1.4_4.tbz: 100%  47 KiB  47.9kB/s    00:01   
pkg: /tmp/squidGuard-1.4_4.tbz.XXXXX is not a valid package: no manifest found

I download this package and copy pfsense , enter shell command and run

pkg add squidGuard-1.4_4.tbz
pkg: squidGuard-1.4_4.tbz is not a valid package: no manifest found

I'm on pfs 2.2, can you help me ???
I spend 3 weeks looking for best workaround to get squidGaurd apply filter with AD Groups

akha666

I give another try with pfs 2.0.3 , the pkg_add -r working but got another issue

[2.0.3-RELEASE][root@pfSense.localdomain]/usr/local/bin(24): pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
Fetching http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz... Done.
Error: Unable to get http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/db41-4.1.25_4.tbz: Not Found
pkg_add: can't open dependency file '/var/db/pkg/db41-4.1.25_4/+REQUIRED_BY'!
dependency registration is incomplete

===================================================================
= In order to activate squidGuard you have to edit squid.conf
= To the contain "url_rewrite_program /usr/local/bin/squidGuard"
= and create a configuration file for squidGuard.
=
= On disinstallation if you want to completely remove the blacklists
= you will have to manually remove what remains in /var/db/squidGuard.
=
= To activate the changes do a /usr/local/sbin/squid -k reconfigure
===================================================================

akha666

@Luiz Gustavo , there is now other repositories working ???????