pfSense 2.4.5.p1 + SquidGuard + GroupACL + ldapsearch problem
-
Hello,
I have a problem with squidGuard Groups ACL configuration. I'm trying to do ldapusersearch in Client (source) field of group "block", but looks like it doesn't work for me.
Common ACL rules are working fine.
Also if I set a single AD user like 'test' as client source of GroupACL it works fine.pfSense: 2.4.5-RELEASE-p1
squid: 0.4.45_3
squidGuard: 1.16.18_13Squid is configured for kerberos AD auth.
AD group used: internet (default domain users container)
Proxy config from Package/SquidGuard/Logs
https://pastebin.com/2exrvunwFilter config from Package/SquidGuard/Logs
https://pastebin.com/bvVQe0M1LDAP query string used:
ldapusersearch ldap://dc01.kolbasa-vs.local:3268/DC=kolbasa-vs,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=internet%2cCN=Users%2cDC=kolbasa-vs%2cDC=local))Totally don't know where to dig, looks like squidGuard even not trying to execute ldapusersearch query cause after hitting this green Apply button I see only emptiness in this src block:
src block {
log block.log
}Need some advices.
Thanks. -
This post is deleted! -
Found some interesting thing. My settings and ldap string exists in /usr/local/etc/squidGuard/squidguard_conf.xml
<?xml version="1.0"?> <squidGuard> <logdir>/var/squidGuard/log</logdir> <dbhome>/var/db/squidGuard</dbhome> <ldap_enable>on</ldap_enable> <ldapbinddn><![CDATA[CN=s_pfsense,OU=Pfsense,OU=Services,DC=kolbasa-vs,DC=local]]></ldapbinddn> <ldapbindpass><![CDATA[********]]></ldapbindpass> <ldapcachetime>300</ldapcachetime> <ldapversion>3</ldapversion> <stripntdomain>on</stripntdomain> <striprealm>on</striprealm> <binpath>/usr/local/bin</binpath> <workdir>/usr/local/etc/squidGuard</workdir> <sgxml_file>/usr/local/etc/squidGuard/squidguard_conf.xml</sgxml_file> <enabled>on</enabled> <blacklist_enabled>on</blacklist_enabled> <blacklist_url></blacklist_url> <sources> <item> <name>block</name> <source>ldapusersearch ldap://dc01.kolbasa-vs.local:3268/dc=kolbasa-vs,dc=local?userPrincipalName?sub?(&(userPrincipalName=%s)(memberOf=CN=internet%2cCN=Users%2cDC=kolbasa-vs%2cDC=local))</source> <log>on</log> <description></description> </item> </sources>But for some reason these settings are missed in /usr/local/etc/squidGuard/squidGuard.conf
Btw, I tried to manually edit /usr/local/etc/squidGuard/squidGuard.conf and add missed source string, then restarted squidGuard from WebGUI and it filtering for AD group works just fine.
So, is it a WebGUI bug or something else?
-
I can see it in my
/usr/local/etc/squidGuard/squidGuard.conf:logdir /var/squidGuard/log dbhome /var/db/squidGuard ldapbinddn CN=s_pfsense,OU=Pfsense,OU=Services,DC=kolbasa-vs,DC=local ldapbindpass 123 ldapcachetime 0 ldapprotover 3 # src testacl { ldapusersearch ldap://dc01.kolbasa-vs.local:3268/dc=kolbasa-vs,dc=local?userPrincipalName?sub?(&(userPrincipalName=%s)(memberOf=CN=internet%2cCN=Users%2cDC=kolbasa-vs%2cDC=local)) log block.log }Please update SquidGuard pkg to the latest version
-
@viktor_g Thank you for your reply, I'll try it now.
-
I was not able to update squidGuard package, process stucked on Initialization. So I disabled squidGuard and Squid, remove SquidGuard package, but unfortunately was not able to install the new version cause of stuck on initialization, so I just backup all and did an upgrade to 2.5.0 and it finished successfull.
For now, my problem is solved, thanks a lot.
