Problemas com Squid + SquidGuard+ AD erro após reboot - RESOLVIDO

fredmdl · Jul 30, 2013, 3:06 PM

Olá pessoal…
Após fazer um reboot no meu servidor ele voltou com um problema muito estranho.
A autenticação estava funcionando normal e a navegação também.
Agora qualquer site que entro retorna:

Request denied by pfSense proxy: 403 Forbidden

Reason:
Client address: 192.168.30.150
Client user: nome.sobrenome
Client group: default
Target group: none
URL: http://www.microsoft.com.br/

Ele não detecta de qual grupo o usuário autenticado faz parte.
No caso esse usuário esta no grupo configurado como segue:
ldapusersearch ldap://192.168.10.204/DC=Empresa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Proxy_Administrativo,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local))

access.log
1375126470.397 30 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html
1375126471.251 29 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html
1375126471.681 2 192.168.30.150 TCP_MISS/403 672 GET http://www.microsoft.com.br/ nome.sobrenome DIRECT/192.168.10.252 text/html

cache.log
2013/07/29 16:33:09| Reconfiguring Squid Cache (version 2.7.STABLE9)...
2013/07/29 16:33:09| FD 71 Closing HTTP connection
2013/07/29 16:33:09| FD 72 Closing HTCP socket
2013/07/29 16:33:09| FD 74 Closing SNMP socket
2013/07/29 16:33:09| logfileClose: closing log /var/squid/logs/access.log
2013/07/29 16:33:09| Including Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2013/07/29 16:33:09| Cache dir '/var/squid/cache' size remains unchanged at 4296704 KB
2013/07/29 16:33:09| Initialising SSL.
2013/07/29 16:33:09| logfileOpen: opening log /var/squid/logs/access.log
2013/07/29 16:33:09| Store logging disabled
2013/07/29 16:33:09| Referer logging is disabled.
2013/07/29 16:33:09| DNS Socket created at 0.0.0.0, port 26961, FD 12
2013/07/29 16:33:09| Adding nameserver 192.168.10.204 from squid.conf
2013/07/29 16:33:09| Adding nameserver 192.168.10.205 from squid.conf
2013/07/29 16:33:09| helperOpenServers: Starting 5 'squidGuard' processes
2013/07/29 16:33:09| helperOpenServers: Starting 50 'squid_ldap_auth' processes
2013/07/29 16:33:09| Accepting proxy HTTP connections at 192.168.10.252, port 3128, FD 71.
2013/07/29 16:33:09| Accepting HTCP messages on port 4827, FD 72.
2013/07/29 16:33:09| Accepting SNMP messages on port 3401, FD 74.
2013/07/29 16:33:09| WCCP Disabled.
2013/07/29 16:33:09| Loaded Icons.
2013/07/29 16:33:09| Ready to serve requests.

Alguma sugestão de onde pode estar o erro?

fredmdl · Jul 30, 2013, 12:48 PM

Pessoal olha só o squidGuard.log

2013-07-30 09:47:06 [33069] New setting: logdir: /var/squidGuard/log
2013-07-30 09:47:06 [33069] New setting: dbhome: /var/db/squidGuard
2013-07-30 09:47:06 [33069] New setting: ldapbinddn: CN=squid,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local
2013-07-30 09:47:06 [33069] New setting: ldapbindpass: Squid9957
2013-07-30 09:47:06 [33069] New setting: ldapprotover: 3
2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/lista-branca/domains
2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/lista-branca/domains.db
2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/Administrativo/domains
2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/Administrativo/domains.db
2013-07-30 09:47:06 [32537] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/Gerentes/domains
2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/Gerentes/domains.db
2013-07-30 09:47:06 [32537] squidGuard 1.4 started (1375188426.780)
2013-07-30 09:47:06 [33069] init domainlist /var/db/squidGuard/RH/domains
2013-07-30 09:47:06 [33069] loading dbfile /var/db/squidGuard/RH/domains.db
2013-07-30 09:47:06 [32537] squidGuard ready for requests (1375188426.794)
2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] logfile not allowed in acl other than default
2013-07-30 09:47:06 [33069] squidGuard 1.4 started (1375188426.791)
2013-07-30 09:47:06 [33069] squidGuard ready for requests (1375188426.795)

2013-07-30 09:47:25 [32231] (squidGuard): ldap_search_ext_s failed: Operations error (params: DC=Empresa,DC=local, 2, (&(sAMAccountName=homolog)(memberOf=CN=Proxy-Adm,OU=Servicos,OU=TI,OU=Empresa,DC=Empresa,DC=local)), sAMAccountName)
2013-07-30 09:47:25 [32231] Added LDAP source: homolog

Parece ser alguma coisa no parametro de busca… Mas ainda não encontrei nada nem na documentação do Squid.

Alguém ja viu esse problema?

fredmdl · Jul 30, 2013, 3:05 PM

Pessoal resolvi o problema!

Fiz as seguintes alterações caso alguém tenha essa dificuldade:

Proxy Server > Auth Settings > LDAP base domain >
DC=empresa,DC=local -R

Proxy filter > Groups ACL > Client (source) >
ldapusersearch ldap://192.168.10.204:3268/DC=empresa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Proxy-Adm,OU=Servicos,OU=TI,OU=empresa,DC=empresa,DC=local))

O -R é para fazer uma recursiva no diretório
E a porta 3268 em vez de 389 é para fazer a busca em um Catalogo Global.

Espero que ajude alguém!

Admin pode fechar o tópico!