Dansguardian + squid LDAP help on Pfsense 2.1.5
-
I feel SO close to getting this to work, but it just isn't working.
pfsense version 2.1.5
Squid 2.7.9 pkg v4.3.3
Dansguardian 2.12.0.3_2 pkgv.0.1.12I want to use the LDAP settings in Dansguardian to enforce particualr site lists, whitelists, and blacklists. When I configure LDAP in Dans, and configure groups, one group is getting populated with only 47 usres, and the AD admin tells me there are ~150 people in the group. One group doesn't even show up in the Users pane, and the other two each SAY they have 47 users, but are both empty. This is the problem I'm trying to solve in this post.
I am NOT trying to do this exactly, but i have at least read the thread:
https://forum.pfsense.org/index.php/topic,58700.0.html
I am trying to use Proxy-Basic, not Proxy-NTLM. I can't support all those extra manually installed packages in my environment unless they are 100% totally the only way to make the proxy use AD for it's source of users. Running samba on a firewall is not an accetable practice where this firewall is used. At this point, I don't care if the user has to manually enter username and password when they access the web, if that helps.When i run
php /usr/local/www/dansguardian_ldap.php
it tells me
User list from LDAP is already the same as current group, no changes made
The dan's LDAP configuration page looks like this:
Hostname: 172.16.1.1
Domain: dc=test,dc=local
username: ldap@test.local
Password: Passwordfor ldap account
Mask: USERThis seems to work - a packet capture at the firewall and at the server show successful authentication. but I don't seem to be gtting full user lsits…
When someone sets their browser to use this firewall as their proxy, they are jsut allowed to the internet, whether they are in one of the groups or not.
This is how the group that returns a user list looks int eh group config - sorry for the multiple screenshots:
Note that in the third shot I erased the IP of the LDAP server from the image, but hthe correct IP is listed and it is selected.
I am attempting to build a second encironment where I have access directly to the AD, but for this example I do not, so any AD related questions I might have to ask someone else.
Can anyone tell me what I might be doing wrong? I don't seem to be having auth problems that I've found are common in other threads on this topic. I know that with other LDAP solutions I've used, they sometimes only request 50 users/groups at a time, it feels like that might be the case here, but I have no idea how to prove/change that given the settings I have. Thanks in advance for looking!
Steve
EDIT: I removed the check from LDAP user account status, and now the ONE group that populates has 127 users, I'm still missing a group, and two other groups both claim to have 127 users, but show blank. really confused.
EDIT 2: OK, this is starting to feel like a UI bug. I deleted and re-created all four groups - and the fourth one I configure always knocks the first one I configured off the screen. I now see different users in all three groups that ARE on screen, but the users reported in each group are still wrong - on group shows 6 users but reports 7, another claims 127 but there are only 126, and a third sayss it has 127 but only has 26. is there a file or table I can check someplace that tells me all the users that it sees? It appears the webgui cannot be replied upon for this check….
-
Some progress. I had to create each group, save it, then hit save again under the Groups tab, wait for it to populate under the Users tab (manually running dansguardian_ldap.php did NOT populate the group immediately), hit save, then repeat for every group. I now have what I'm told is the complete list of users. I also had to restore the "Default" group from backup.
I have now set the default group to deny access, and have set up all the other grous for thier appropriate access. Now when a user configures the proxy, they are simply denied, never taken to a page to verify credentials. I can't add this firewall to the domain I'm working on as per https://forum.pfsense.org/index.php/topic,58700.0.html . if I set the default back to allowed the person can get through. Is there someplace I need to turn on the ability to have the thing ASK for credentials if none are presented?