Kerberos Squid without authentication?
-
@mcury
its because im opening the chrome inside of the windows server which im logged on as administradorthis is another user
-
Ok, in this last screenshot, the username is Windows10?
Is this user a member of the group used in ldapusersearch?You are almost there.. soon we will find the problem
-
@mcury
thanks for the reply,
so on the squidguardldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
and the user is located in
CN=windows10,CN=Users,DC=casa,DC=local
-
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
You used a
%2c
in the wrong place (It means a ',')It should be:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
It's important to notice that you are not filtering users by group in this case..
I would create a group, like internet, add the members to this group, and then filter like this:ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
-
@mcury said in Kerberos Squid without authentication?:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
Thanks again for the reply, so i changed to
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
then created group called internet added windows10 and administrador but same issue with popup
CN=internet,CN=Users,DC=casa,DC=local
Im thinking its a squid issue but dont know what else to do :(
-
Try port 389 instead of 3268.. Who knows..
-
Thanks for the reply,
so on squid i had to removehttp_access allow deny
now i got to squidguard i see this log
(squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),
i also had to configure on squidguard
-
So, is it working now ?
if not, I would focus on the ldapusersearch..
-
thanks for the reply,
so correct its navigating with the user now i need to block but i see the log on squidguard12.05.2021 19:45:34 (squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName)
-
Try to tick that option in squidguard: Strip NT domain name.
If ticking it doesn't work, undo it.. -
Test this:
1 - Disable Squidguard authentication tab
2 - Enable Squid authentication tab with the following details:Squid Authentication LDAP Settings > LDAP Base Domain:
DC=casa,DC=local -R(-R option will enable the recursive search in domain).
Note: keep the ldapusersearch the same as before, using port 3268
Then try again and post here in case it works.
-
Google Chrome and other browsers from a certain version onwards (I can't say from which one) don't allow "Transparent" authentication without the Pop Up window appearing.
So I don't think you will be able to accomplish what you intended.If I am wrong can you correct me please.
-
@mcury
Thanks for the reply, so got it working, i used the pf2ad script
but on ldap for squidguard how to add a group with a space the group is called domain usersldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))