How to dansguardian auth with ldap

gdy1039 · Apr 13, 2013, 9:07 AM

HI all:
how to dansguardian auth with ldap(win2003 Ad or win2008AD)
where should I config the ldap,in the squid or dansguardian?
after i config complete, how to know it's work.?
and then where to tell user name to dansguardian?
in path Services: Dansguardian:user ?the format is "domain\login"?

if someone know,please tell me.
Thanks ;D

sgtr · Apr 13, 2013, 8:35 PM

Hi,

You should look http://forum.pfsense.org/index.php/topic,58700.0.html it will give you an idea.

Regards,
SGTR

gdy1039 · Apr 15, 2013, 9:44 AM

@SGTR:

Hi,

You should look http://forum.pfsense.org/index.php/topic,58700.0.html it will give you an idea.

Regards,
SGTR

Glad to see your reply
I saw that tips
but,I try to do like that tip for a month of Sundays., but not success.
I found now squid have integrate some many auth plugin
for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
now I can auth though basic_ldap_auth in squid, it's very easy.
just one line auth config, and 4 line relate config.

so I can't understand that tips still use so many many third part lib，and so many many config

gdy1039 · Apr 15, 2013, 9:51 AM

I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD

I know how to use basic auth in squid,but don't know how to wok in dansguardian.
I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
then run the command

php /usr/local/www/dansguardian_ldap.php

it return a error

Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65

gdy1039 · Apr 19, 2013, 5:50 AM

I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD

when client access web, input AD login and password correct, then they can pass.

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jian.com
auth_param basic credentialsttl 60 minute

acl ldap-auth proxy_auth REQUIRED

http_access allow ldap-auth
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

and then I chose "Proxy-basic" authentication in dansguardian.
refer tips stip step 18 to 21,
http://forum.pfsense.org/index.php/topic,58700.15.html
then the add a ldap like this

hostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=User

the squid account is ou=users,group=users(bulid in)

make a group in dansguardian name "users"

after I do this,the users group won't update the user's list

run the command

php /usr/local/www/dansguardian_ldap.php

it return a error

Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65

if who know why please tell me,thanks.

marcelloc · Apr 19, 2013, 2:28 AM

Try user@ domain instead of cn=user,CN=domain

gdy1039 · Apr 19, 2013, 7:33 AM

hi,glad to see your reply

I change dansguardian ldap like this

hostname:jian.com
domain:dc=jian,dc=com
username:squid@jian.com
password:Admin@8888
mask:User

run again

/usr/local/etc/dasr/local/www/dansguardian_ldap.php

it return

Content-type: text/html

Group : users
User list from LDAP is already the same as current group, no changes made

1:what does it mean?and how to correct
2:what is use for option "mask"?

gdy1039 · Apr 19, 2013, 8:40 AM

if I delete all group in dansguardian,just left default
it return the same

Content-type: text/html

User list from LDAP is already the same as current group, no changes made

if I create a dansguardian group name "cccc",that's a group not in AD.
and check the ldap what I create before in group "cccc"
run the dansguardian_ldap.php again.
but is still said "same as current group"
I seem's a bug?

gdy1039 · Apr 19, 2013, 8:50 AM

when I update the ldap like

hostname:jian.com
domain:dc=jian,dc=com
username:squid@jian.com
password:Admin@8888
mask:User

and then I create a global group name "g1" instead of use build in group "users" in AD
then create group "g1" in dansguardian
it work!
the user list is update.

thanks marcelloc!

gdy1039 · Apr 19, 2013, 9:36 AM

I still get a problem
if i access the squid port it will prompt login and password,if correct pass
if I access the dansguardian,explorer direct prompt "cache access deny,until you have authenticated yourself. "

who know how to correct this?

marcelloc · Apr 19, 2013, 12:50 PM

@gdy1039:

who know how to correct this?

Configure dansguardian auth to pass to squid on general tab -> auth plugin.

gdy1039 · Apr 22, 2013, 9:37 AM

I found the problem
infact my test should be

1:if i access the squid port3128 it will prompt login and password,if correct pass

2:if i access the dansguardian port8080 it will prompt login and password,if correct pass

3:if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

and other thing.

1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?
2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

Dear marcelloc, are you here? ;D

marcelloc · Apr 22, 2013, 1:55 PM

@gdy1039:

if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

@gdy1039:

1:I direct input username in dansguardian user's tab, dansguardian also work.so if just have few user,we can direct input instead of add a ldap. Right?

Yes

@gdy1039:

2:I add the ldap and run dansguardian_ldap.php success. and then delete the username in user's tab, after 2 minute it will not update automatic.

what update frequency did you configured for ldap fetch?

gdy1039 · Apr 23, 2013, 2:04 AM

@marcelloc:

@gdy1039:

if I make a nat redirect any port to 8080 in pfsense, the in explorer access default port 80. It will direct prompt deny access.

I am trying correct this.

Authentication does not work with transparent proxy. Use proxy pac/wpad to configure client browsers.

In that case,the topology is: web request –> nat(80 redirect to 8080) --> dansguardian(8080) -->squid(3128) --> pfsense nat --> internet
so I have not set the transparent proxy in squid.
I make this config is want to zero config in client.

marcelloc · Apr 23, 2013, 4:32 AM

web request –> nat(80 redirect to 8080) = transparent proxy