Squid + SquidGuard + AD
-
Hi all,
after one week of configuration and googling and reading n tutorials I decided to annoy you :P.
What do I want?
A proxy with different access groups managed by Active Directory.Where is my problem?
As long as I'm letting LDAP off in SquidGuard it's working fine.
My groups are filtered by ip (just for testing to see if squidGuard is working).I also tested squid alone - to check AD. And it's working.
When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.
Even when I setup everything to deny anything it is completely open.
can you maybe help me?
my ldap search string in squid guard for group acl is:
ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))
on general tab it's:
cn=administrator,cn=Users,dc=mydomain,dc=local
Strip Kerberos Realm - enabled
Strip NT domain - enabledCommon ACL is:
whitelist !allNow I have squid 2 and squid guard throw the packages menu installed.
I also reinstalled pfsense and tried the virtual alliance as well as squid3.
Maybe you can help me.
Many thanks + sorry for my englisch
-
Sorry you are ahead of me at this point so I won't be of much help right now. I'm still in the testing phases of squid2, and haven't tried LDAP yet. I am wondering though, have you tested white-listing via the Access Control tab? I have a customer that wants to block everything, which is easy enough by setting everything to deny. I know, however, that they will eventually start wanting to allow a few sites here and there for work related purposes. Then, they will want LDAP setup so they can whitelist sites for managers and executives only (IP based won't work as they are on a TERM server). I am trying to stay ahead of the game so when I implement this I know everything will work as expected, however I can't get my test sites to load after they have been blocked by category (only the favicon comes through after white-listing). The categories and websites I tried were [Finance Insurance: esurance.com] and [webmail: hotmail.com]. Just interested in knowing if it's a setup issue, or a problem with Squid.
Second question, how did your Squid 3 testing go? I downloaded the newest versions and the services did not want to start. Didn't spend too much time on this though as I didn't really want to implement a beta package into production anyway.
As for your question I will be testing the LDAP setup in my lab this week, so at the very least I will be able to tell if I get the same results as you. I opened up a thread a week or two ago for my questions, but no replies yet :-( . Good luck on getting this worked out! I will be posting back my LDAP results at some point this week.
-
Try use de Catalog Global port from AD:
Referrall: http://www.squidguard.org/Doc/ldap-ad-tips.html
-
Hi,,
thx for your answer.AD is not working. But anyway.
@nislink: you have to use squidguard for whitelisting. It is working fine.
-
First of all, I want to report that I found a bug in the squidguard
binary, which generates error in queries.To do this, update the package failover by typing in console pfsense
or Diagnostics> command prompt, these two commands in sequence:pkg_delete squidGuard-1.4_4 pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
Pay attention only to architecture cpu you use and select the package
corrected as the architecture:http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz
Thus, the queries will not have more problems.
-
Hi man!
Thx! I will test it!
rgds
-
Hi all,
after one week of configuration and googling and reading n tutorials I decided to annoy you :P.
What do I want?
A proxy with different access groups managed by Active Directory.Where is my problem?
As long as I'm letting LDAP off in SquidGuard it's working fine.
My groups are filtered by ip (just for testing to see if squidGuard is working).I also tested squid alone - to check AD. And it's working.
When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.
Even when I setup everything to deny anything it is completely open.
can you maybe help me?
my ldap search string in squid guard for group acl is:
ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))
on general tab it's:
cn=administrator,cn=Users,dc=mydomain,dc=local
Strip Kerberos Realm - enabled
Strip NT domain - enabledCommon ACL is:
whitelist !allNow I have squid 2 and squid guard throw the packages menu installed.
I also reinstalled pfsense and tried the virtual alliance as well as squid3.
Maybe you can help me.
Many thanks + sorry for my englisch
Having the same problem. Is there already a working solution?
-
Hi all,
after one week of configuration and googling and reading n tutorials I decided to annoy you :P.
What do I want?
A proxy with different access groups managed by Active Directory.Where is my problem?
As long as I'm letting LDAP off in SquidGuard it's working fine.
My groups are filtered by ip (just for testing to see if squidGuard is working).I also tested squid alone - to check AD. And it's working.
When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.
Even when I setup everything to deny anything it is completely open.
can you maybe help me?
my ldap search string in squid guard for group acl is:
ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))
on general tab it's:
cn=administrator,cn=Users,dc=mydomain,dc=local
Strip Kerberos Realm - enabled
Strip NT domain - enabledCommon ACL is:
whitelist !allNow I have squid 2 and squid guard throw the packages menu installed.
I also reinstalled pfsense and tried the virtual alliance as well as squid3.
Maybe you can help me.
Many thanks + sorry for my englisch
Having the same problem. Is there already a working solution?
Sorry, my fault, now it works. thank you
-
First of all, I want to report that I found a bug in the squidguard
binary, which generates error in queries.To do this, update the package failover by typing in console pfsense
or Diagnostics> command prompt, these two commands in sequence:pkg_delete squidGuard-1.4_4 pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
Pay attention only to architecture cpu you use and select the package
corrected as the architecture:http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz
Thus, the queries will not have more problems.
I just tried to use your updated package. Unfortunatelly I was told, that there are some files missing on the server… (pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz)
Could you upload the missing files?
-
plz help
after executing command```
pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbzI got``` pkg_add: Command not found.
try with
pkg add http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
Fetching squidGuard-1.4_4.tbz: 100% 47 KiB 47.9kB/s 00:01
pkg: /tmp/squidGuard-1.4_4.tbz.XXXXX is not a valid package: no manifest foundI download this package and copy pfsense , enter shell command and run
pkg add squidGuard-1.4_4.tbz
pkg: squidGuard-1.4_4.tbz is not a valid package: no manifest foundI'm on pfs 2.2, can you help me ???
I spend 3 weeks looking for best workaround to get squidGaurd apply filter with AD Groups -
I give another try with pfs 2.0.3 , the pkg_add -r working but got another issue
[2.0.3-RELEASE][root@pfSense.localdomain]/usr/local/bin(24): pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz Fetching http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz... Done. Error: Unable to get http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/db41-4.1.25_4.tbz: Not Found pkg_add: can't open dependency file '/var/db/pkg/db41-4.1.25_4/+REQUIRED_BY'! dependency registration is incomplete =================================================================== = In order to activate squidGuard you have to edit squid.conf = To the contain "url_rewrite_program /usr/local/bin/squidGuard" = and create a configuration file for squidGuard. = = On disinstallation if you want to completely remove the blacklists = you will have to manually remove what remains in /var/db/squidGuard. = = To activate the changes do a /usr/local/sbin/squid -k reconfigure ===================================================================
-
@Luiz Gustavo , there is now other repositories working ???????