Kerberos Squid without authentication?
-
Why are you authenticating as administrador@CASA.LOCAL ?
The user should be appearing there and not administrator. Should be user@CASA.LOCALThe user need to be member of the group used in ldapusersearch in Squidguard
-
@mcury
its because im opening the chrome inside of the windows server which im logged on as administradorthis is another user
-
Ok, in this last screenshot, the username is Windows10?
Is this user a member of the group used in ldapusersearch?You are almost there.. soon we will find the problem
-
@mcury
thanks for the reply,
so on the squidguardldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))and the user is located in
CN=windows10,CN=Users,DC=casa,DC=local -
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
You used a
%2cin the wrong place (It means a ',')It should be:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))It's important to notice that you are not filtering users by group in this case..
I would create a group, like internet, add the members to this group, and then filter like this:ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s)) -
@mcury said in Kerberos Squid without authentication?:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
Thanks again for the reply, so i changed to
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))then created group called internet added windows10 and administrador but same issue with popup
CN=internet,CN=Users,DC=casa,DC=localIm thinking its a squid issue but dont know what else to do :(
-
Try port 389 instead of 3268.. Who knows..
-
Thanks for the reply,
so on squid i had to removehttp_access allow denynow i got to squidguard i see this log
(squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),i also had to configure on squidguard
-
So, is it working now ?
if not, I would focus on the ldapusersearch..
-
thanks for the reply,
so correct its navigating with the user now i need to block but i see the log on squidguard12.05.2021 19:45:34 (squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName) -
Try to tick that option in squidguard: Strip NT domain name.
If ticking it doesn't work, undo it.. -
Test this:
1 - Disable Squidguard authentication tab
2 - Enable Squid authentication tab with the following details:Squid Authentication LDAP Settings > LDAP Base Domain:
DC=casa,DC=local -R(-R option will enable the recursive search in domain).
Note: keep the ldapusersearch the same as before, using port 3268
Then try again and post here in case it works.
-
Google Chrome and other browsers from a certain version onwards (I can't say from which one) don't allow "Transparent" authentication without the Pop Up window appearing.
So I don't think you will be able to accomplish what you intended.If I am wrong can you correct me please.
-
@mcury
Thanks for the reply, so got it working, i used the pf2ad script
but on ldap for squidguard how to add a group with a space the group is called domain usersldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))