Problemas com Squid + SquidGuard+ AD erro após reboot - RESOLVIDO



  • Olá pessoal…
    Após fazer um reboot no meu servidor ele voltou com um problema muito estranho.
    A autenticação estava funcionando normal e a navegação também.
    Agora qualquer site que entro retorna:


    Request denied by pfSense proxy: 403 Forbidden

    Reason:
    Client address: 192.168.30.150
    Client user: nome.sobrenome
    Client group: default
    Target group: none
    URL: http://www.microsoft.com.br/


    Ele não detecta de qual grupo o usuário autenticado faz parte.
    No caso esse usuário esta no grupo configurado como segue:
    ldapusersearch ldap://192.168.10.204/DC=Empresa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Proxy_Administrativo,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local))

    access.log
    1375126470.397     30 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html
    1375126471.251     29 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html
    1375126471.681      2 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html

    cache.log
    2013/07/29 16:33:09| Reconfiguring Squid Cache (version 2.7.STABLE9)...
    2013/07/29 16:33:09| FD 71 Closing HTTP connection
    2013/07/29 16:33:09| FD 72 Closing HTCP socket
    2013/07/29 16:33:09| FD 74 Closing SNMP socket
    2013/07/29 16:33:09| logfileClose: closing log /var/squid/logs/access.log
    2013/07/29 16:33:09| Including Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
    2013/07/29 16:33:09| Cache dir '/var/squid/cache' size remains unchanged at 4296704 KB
    2013/07/29 16:33:09| Initialising SSL.
    2013/07/29 16:33:09| logfileOpen: opening log /var/squid/logs/access.log
    2013/07/29 16:33:09| Store logging disabled
    2013/07/29 16:33:09| Referer logging is disabled.
    2013/07/29 16:33:09| DNS Socket created at 0.0.0.0, port 26961, FD 12
    2013/07/29 16:33:09| Adding nameserver 192.168.10.204 from squid.conf
    2013/07/29 16:33:09| Adding nameserver 192.168.10.205 from squid.conf
    2013/07/29 16:33:09| helperOpenServers: Starting 5 'squidGuard' processes
    2013/07/29 16:33:09| helperOpenServers: Starting 50 'squid_ldap_auth' processes
    2013/07/29 16:33:09| Accepting proxy HTTP connections at 192.168.10.252, port 3128, FD 71.
    2013/07/29 16:33:09| Accepting HTCP messages on port 4827, FD 72.
    2013/07/29 16:33:09| Accepting SNMP messages on port 3401, FD 74.
    2013/07/29 16:33:09| WCCP Disabled.
    2013/07/29 16:33:09| Loaded Icons.
    2013/07/29 16:33:09| Ready to serve requests.

    Alguma sugestão de onde pode estar o erro?



  • Pessoal olha só o squidGuard.log

    2013-07-30 09:47:06 [33069] New setting: logdir: /var/squidGuard/log
    2013-07-30 09:47:06 [33069] New setting: dbhome: /var/db/squidGuard
    2013-07-30 09:47:06 [33069] New setting: ldapbinddn: CN=squid,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local
    2013-07-30 09:47:06 [33069] New setting: ldapbindpass: Squid9957
    2013-07-30 09:47:06 [33069] New setting: ldapprotover: 3
    2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/lista-branca/domains
    2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/lista-branca/domains.db
    2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/Administrativo/domains
    2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/Administrativo/domains.db
    2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/Gerentes/domains
    2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/Gerentes/domains.db
    2013-07-30 09:47:06 [32537] squidGuard 1.4 started (1375188426.780)
    2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/RH/domains
    2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/RH/domains.db
    2013-07-30 09:47:06 [32537] squidGuard ready for requests (1375188426.794)
    2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
    2013-07-30 09:47:06 [33069] squidGuard 1.4 started (1375188426.791)
    2013-07-30 09:47:06 [33069] squidGuard ready for requests (1375188426.795)

    2013-07-30 09:47:25 [32231] (squidGuard): ldap_search_ext_s failed: Operations error (params: DC=Empresa,DC=local, 2, (&(sAMAccountName=homolog)(memberOf=CN=Proxy-Adm,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local)), sAMAccountName)
    2013-07-30 09:47:25 [32231] Added LDAP source: homolog

    Parece ser alguma coisa no parametro de busca… Mas ainda não encontrei nada nem na documentação do Squid.

    Alguém ja viu esse problema?



  • Pessoal resolvi o problema!

    Fiz as seguintes alterações caso alguém tenha essa dificuldade:

    Proxy Server > Auth Settings > LDAP base domain >
    DC=empresa,DC=local -R

    Proxy filter > Groups ACL > Client (source) >
    ldapusersearch ldap://192.168.10.204:3268/DC=empresa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Proxy-Adm,OU=Servicos,OU=TI,OU=empresa,DC=empresa,DC=local))

    O -R é para fazer uma recursiva no diretório
    E a porta 3268 em vez de 389 é para fazer a busca em um Catalogo Global.

    Espero que ajude alguém!

    Admin pode fechar o tópico!