[FUG-BR] Ajuda com squid_ldap_auth
Ricardo Souza
ricardo.souza em ti.cmtsp.com.br
Sexta Dezembro 18 16:51:19 BRST 2009
caos# /usr/local/libexec/squid/squid_ldap_group -R -b
"OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w
"mypass" -f "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))"
-h 192.168.9.12:389
USERID squid PASSWORD mypas
squid_ldap_group WARNING, LDAP search error 'No such object'
squid_ldap_group WARNING, LDAP search error 'No such object'
squid_ldap_group WARNING, LDAP search error 'No such object'
ERR
^C
caos#
Estou quase lá!
2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
> AEW..
>
>
> consegui rodar o ldapsearch.
>
> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389
>
>
> # extended LDIF
> #
> # LDAPv3
> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # squid, Users, AUTOPASS
> dn: CN=squid,CN=Users,DC=AUTOPASS
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: squid
> givenName: squid
> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
> instanceType: 4
> whenCreated: 20091218183503.0Z
> whenChanged: 20091218183835.0Z
> displayName: squid
> uSNCreated: 270480
> uSNChanged: 270501
> name: squid
> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 129056349038798893
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: squid
> sAMAccountType: 805306368
> userPrincipalName: squid em AUTOPASS
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 129056351153699501
>
>
> Só q o squid_ldap_auth e o group continuam sem retornar nada.
>
> Alguma sugestao?
>
>
>
>
> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>> esta linha nao esta errada nao.
>> # As linhas abaixo se referem a autenticacao de users no AD
>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>> 192.168.9.12:389 (isto e a porta)
>>
>>
>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>> Agora nao esta dando erro, porem esta me negando tudo.
>>>
>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>>
>>> Meu squid.conf:
>>> http_port 192.168.9.10:3128
>>> icp_port 3130
>>> hierarchy_stoplist cgi-bin ?
>>> #acl QUERY urlpath_regex cgi-bin ?
>>> #no_cache deny QUERY
>>> cache_mem 1500 MB
>>> cache_swap_low 90
>>> cache_swap_high 95
>>> maximum_object_size 9216 KB
>>> ipcache_size 1024
>>> ipcache_low 90
>>> ipcache_high 95
>>> fqdncache_size 1024
>>> cache_replacement_policy lru
>>> memory_replacement_policy lru
>>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>>> cache_access_log /usr/local/squid/logs/access.log
>>> cache_store_log none
>>>
>>> # As linhas abaixo se referem a autenticacao de users no AD
>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>> 192.168.9.12:389
>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>>> 192.168.9.12
>>>
>>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>>> auth_param basic children 5
>>> auth_param basic credentialsttl 15 minutes
>>>
>>> emulate_httpd_log on
>>> mime_table /usr/local/etc/squid/mime.conf
>>> pid_filename /usr/local/squid/logs/squid.pid
>>> ftp_user ftp em autopass.com.br
>>> ftp_passive on
>>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>>
>>> # ACL externa para autenticação nas bases LDAP do PDC
>>> external_acl_type ldap_group %LOGIN
>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>> -h 192.168.9.12:389
>>>
>>>
>>> #acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl SSL_ports port 443 563 9141
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 81
>>> acl Safe_ports port 82
>>> acl Safe_ports port 85
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 563 # https, snews
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> # A acl abaixo faz bloqueio de acesso por IP"
>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>>
>>> # A ACL abaixo efetua bloqueio do MSN
>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>>
>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>>> avi asf
>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$
>>> .mpg$ .avi$ .pif$
>>>
>>> #acl palavra_download url_regex -i
>>> "/usr/local/squid/etc/palavra_download-url"
>>>
>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>>> /usr/local/squid/etc/libera_almoco
>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites
>>> de "libera_almoco"
>>> #acl almoco time SMTWHFA 12:00-13:30
>>> #libera acesso das 12 as 13:30 #de segunda a domingo.
>>>
>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>>> governo e Abrapetite
>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" #
>>> Libera alguns sites p/user s/acesso
>>>
>>> # ACLs de Controle de Conteúdo
>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>>> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio"
>>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>>> # ACLs_ACTIVE_DIRECTORY
>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>>> com restrições
>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>>> padrão
>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>>> internet
>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>>> de arquivo com extensões bloqueadas.
>>>
>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> #http_access deny block_ip
>>>
>>> http_access allow libera_restritos
>>> http_access deny ldapAcessoRestrito
>>> http_access allow ldapAcessoTotal
>>> #http_access deny dst_msn
>>> #http_access allow dominio_liberado
>>> #http_access allow libera_sites almoco
>>> #http_access deny dominio_bloqueado
>>> #http_access allow ldapAcessoDownload block_arq
>>> #http_access allow ldapAcessoDownload palavra_download
>>> #http_access allow download_url
>>> #http_access deny block_arq
>>> #http_access allow nosex
>>> #http_access deny sex
>>> http_access allow ldapAcessoPadrao
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny all
>>> icp_access allow all
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> visible_hostname proxy.reboucas.autopass.com.br
>>> unique_hostname proxy.reboucas.autopass.com.br
>>> append_domain .autopass.com.br
>>> acl local-servers dstdomain autopass.com.br
>>> acl local-serverspr dstdomain cmtsp.com.br
>>> always_direct allow local-servers
>>> always_direct allow local-serverspr
>>> #error_directory /usr/local/squid/share/errors/Portuguese
>>>
>>>
>>> access.log:
>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>>
>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>> > nao consigo usar este tambem.
>>>> >
>>>> > ldap_bind: Invalid credentials (49)
>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>>> > AcceptSecurityContext error, data 525, v1772
>>>> > caos#
>>>> >
>>>>
>>>> Pelo que a IBM nos diz, 525 é "user not found":
>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>>
>>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>>> "cn=squid,ou=users,dc=autopass"
>>>>
>>>> O programa ldifde pode te ajudar com isso:
>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>>
>>>>
>>>> Att,
>>>> Vinicius
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>
>>
>>
>> --
>> Alessandro de Souza Rocha
>> Administrador de Redes e Sistemas
>> FreeBSD-BR User #117
>> Long live FreeBSD
>>
>> Powered by ....
>>
>> (__)
>> \\\'',)
>> \/ \ ^
>> .\._/_)
>>
>> www.FreeBSD.org
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
Mais detalhes sobre a lista de discussão freebsd