Dansguardian, Ldap and Access Lists

  • I have successfully set up pfsense 2.02, squid and Dans Guardian and configured squid to authenticate using LDAP with AD.
    I've configured Dansguardian LDAP,and set up groups which match AD groups - users populate from AD successfully.
    Finally I've set up site access lists and associated these with groups.

    In  the group configuration for each group the Default access list is not highlighted - only the one that I have set up appropriate to that group.

    However, when I start a browser session and successfully authenticate, the access list associated with the group/user is ignored, and only the
    Default access group rules are applied.

    I have checked the /usr/local/etc/dansguardian/filtergroupslist and the AD users are shown, with the correct filter number.

    Any suggestions as to why the site access lists are being ignored?

  • @neil:

    Any suggestions as to why the site access lists are being ignored?

    Check on squid log files if its showing authenticated users.

  • Ok I found the problem - it looks like a "bug" with the combination of Squid and Dans Guardian.
    I first installed Squid, and then Dans Guardian.
    I configured squid to authenticate with LDAP against an AD server, and tested this successfully.
    Then I set up groups (which populate from AD) and access lists within Dans Guardian, and found that these lists were ignored whenever a user authenticated.

    The solution was this:
    In the General tab for Dans Guardian, the auth-plugins was set to proxy-basic.  
    If you change this to anything else (eg ident) and restart DG, then go back and change this setting to proxy-basic and restart DG, the access lists are then correctly accessed and applied to Groups.

    Just to make absolutely sure, I re-installed pfsense/squid/dg on a fresh box with the above functionality, and can confirm that this simple toggle is needed to get DG to use the correct access lists assigned to groups.

    Thanks for your prompt suggestion and I hope my experience helps others.

Log in to reply