Dansguardion drives me mad… :/
I'm trying to get the following setting to work:
- proxy with ldap auth (squid 3 beta package)
- dansguardian with groups / users white/blacklists
The first part works perfect. The squid Proxy connects to the ldap server (Windows Server 2008R2) the way it is ment to work.
My next step was to setup dansguardian and here starts the confusion. Do I have to use the LDAP configuration provided by the dansguardian package or is this already done by connecting the squid3 to the ldap?
Because I didn't know how to do I've given even dansguardian all the settings to connect to the AD and according to the descriptions at the group configuration I've added some groups to the AD with the same naming as my groups at dansguardian. Was that right?
Anyway it looks like this didn't work. Next step I did was adding users to the users list (at dansguardian gui) and THIS made it work. I had an ACL blocking facebook, a group named facebook and my test user added to this group. It was successfully blocked. My next step was to add a second ACL and a second group and I've added the user to this group as well… but no blocking. :/ Whatever I do the user can still access the sites blocked in the ACL. I am really confused and I would apprecciate any kind of help!
Edit: Uha... is it possible that every user can only be in one group? I removed the user from the facebook group and left him in the second group and THEN he was blocled for the sites of this group.
DG user matching goes in an ACL manner - once a rule is matched, it exits the match block. To answer your question, yes, you can only have one user per group. Whichever group is matched first will be the one that user receives the block/pass for.
Regarding LDAP, users are directly hitting Dansguardian and, ideally, never touching squid (otherwise they'd be able to bypass DG very easily). You will have to authenticate via Dansguardian. If your LDAP configuration is correctly pulling in users, they should be filtered accordingly. If you'd like an example of my working config (though I use ident for my authentication, I still have LDAP pulling in users for a couple groups), let me know.
Thanks for you answer. Its good to have an explanation and to see that it is not a faulty configuration but ment that way and yes I would surely appreciate any kind of example configuration. It might give me some hints about a proper setup.
If I could wish something for a new version of ds (and NO I don't claim!) it would be a bit more in place help. First time I entered the gui I really didn't know where to start and how the whole system works. Took me a lot of trial and error.
BTW I got the /tmp access error directly after a new installation.