SquidGuard + NTLM не блокирует

retrooo_7

ПРивет, всем!
Имею 2.3.3-RELEASE (amd64)
Squid+SquidGuard(http://www.shallalist.de/Downloads/shallalist.tar.gz)_LightSquid+samba(Настраивал по статье https://pf2ad.mundounix.com.br/en/index.html)
Беда следующего характера, хочу рулить разрешениями в squidguard через AD.
Как только в Proxy filter SquidGuard: General settingsGeneral settings выставляю галку Enable LDAP Filter со всеми параметрами

, то ничего не фильтруется, любой пользователь сразу имеет  полный доступ ко всему .
common ACl deny all

SquidGuard configuration file

logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn cn=exadm,cn=builtin,dc=company,dc=ru
ldapbindpass 7777777
ldapprotover 3
stripntdomain true
striprealm true

# pftest
src pftest {
}

# 
dest blk_BL_adv {
	domainlist blk_BL_adv/domains
	urllist blk_BL_adv/urls
}
#
#здесь еще куча урлов

# 
rew safesearch {
	s@(google..*/search?.*q=.*)@
&safe=active@i
	s@(google..*/images.*q=.*)@
&safe=active@i
	s@(google..*/groups.*q=.*)@
&safe=active@i
	s@(google..*/news.*q=.*)@
&safe=active@i
	s@(yandex..*/yandsearch?.*text=.*)@
&fyandex=1@i
	s@(search.yahoo..*/search.*p=.*)@
&vm=r&v=1@i
	s@(search.live..*/.*q=.*)@
&adlt=strict@i
	s@(search.msn..*/.*q=.*)@
&adlt=strict@i
	s@(.bing..*/.*q=.*)@
&adlt=strict@i
}

# 
acl  {
	# 
	default  {
		pass !in-addr none
		redirect http://192.168.211.4:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
	}
}

Proxy config

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.211.4:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language ru
icon_directory /usr/local/etc/squid/icons
visible_hostname company proxy server
cache_mgr 01@company.ru
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 30
debug_options rotate=30
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.208.0/22
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB

offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth

auth_param negotiate program /usr/local/libexec/squid/negotiate_wrapper_auth --ntlm /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NOME
auth_param negotiate children 20
auth_param negotiate keep_alive off
# Pure NTLM
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b 'dc=company,dc=ru' -D 'exadm@company.ru' -w '7777777' -f sAMAccountName=%s -h v-krr-dc.company.ru
auth_param basic children 20
auth_param basic credentialsttl 1 minute
auth_param basic children 5
auth_param basic realm Давай блять, жги
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED
# Custom options after auth

http_access allow password localnet
# Default block all to be sure
http_access deny allsrc

werter

Доброе.
Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ?

retrooo_7

@werter:

Доброе.
Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ?

сквид не прозрачный, подскажите пожалуйста как проверить на корректность лдап фильтр?