[FUG-BR] Ajuda com squid_ldap_auth

Alessandro de Souza Rocha etherlinkii em gmail.com
Sexta Dezembro 18 17:00:23 BRST 2009


http://www.mail-archive.com/freebsd@fug.com.br/msg37677.html

2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
> caos# /usr/local/libexec/squid/squid_ldap_group -R -b
> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w
> "mypass" -f "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))"
> -h 192.168.9.12:389
> USERID squid PASSWORD mypas
> squid_ldap_group WARNING, LDAP search error 'No such object'
> squid_ldap_group WARNING, LDAP search error 'No such object'
> squid_ldap_group WARNING, LDAP search error 'No such object'
> ERR
> ^C
> caos#
>
> Estou quase lá!
>
>
>
>
> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>> AEW..
>>
>>
>> consegui rodar o ldapsearch.
>>
>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389
>>
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # squid, Users, AUTOPASS
>> dn: CN=squid,CN=Users,DC=AUTOPASS
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: squid
>> givenName: squid
>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
>> instanceType: 4
>> whenCreated: 20091218183503.0Z
>> whenChanged: 20091218183835.0Z
>> displayName: squid
>> uSNCreated: 270480
>> uSNChanged: 270501
>> name: squid
>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
>> userAccountControl: 66048
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> pwdLastSet: 129056349038798893
>> primaryGroupID: 513
>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: squid
>> sAMAccountType: 805306368
>> userPrincipalName: squid em AUTOPASS
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
>> dSCorePropagationData: 16010101000000.0Z
>> lastLogonTimestamp: 129056351153699501
>>
>>
>> Só q o squid_ldap_auth e o group continuam sem retornar nada.
>>
>> Alguma sugestao?
>>
>>
>>
>>
>> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>>> esta linha nao esta errada nao.
>>> # As linhas abaixo se referem a autenticacao de users no AD
>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>> 192.168.9.12:389 (isto e a porta)
>>>
>>>
>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>> Agora nao esta dando erro, porem esta me negando tudo.
>>>>
>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>>>
>>>> Meu squid.conf:
>>>> http_port 192.168.9.10:3128
>>>> icp_port 3130
>>>> hierarchy_stoplist cgi-bin ?
>>>> #acl QUERY urlpath_regex cgi-bin ?
>>>> #no_cache deny QUERY
>>>> cache_mem 1500 MB
>>>> cache_swap_low 90
>>>> cache_swap_high 95
>>>> maximum_object_size 9216 KB
>>>> ipcache_size 1024
>>>> ipcache_low 90
>>>> ipcache_high 95
>>>> fqdncache_size 1024
>>>> cache_replacement_policy lru
>>>> memory_replacement_policy lru
>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>>>> cache_access_log /usr/local/squid/logs/access.log
>>>> cache_store_log none
>>>>
>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>> 192.168.9.12:389
>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>>>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>>>> 192.168.9.12
>>>>
>>>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>>>> auth_param basic children 5
>>>> auth_param basic credentialsttl 15 minutes
>>>>
>>>> emulate_httpd_log on
>>>> mime_table /usr/local/etc/squid/mime.conf
>>>> pid_filename /usr/local/squid/logs/squid.pid
>>>> ftp_user ftp em autopass.com.br
>>>> ftp_passive on
>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>>>
>>>> # ACL externa para autenticação nas bases LDAP do PDC
>>>> external_acl_type ldap_group %LOGIN
>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>>> -h 192.168.9.12:389
>>>>
>>>>
>>>> #acl all src 0.0.0.0/0.0.0.0
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl SSL_ports port 443 563 9141
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 81
>>>> acl Safe_ports port 82
>>>> acl Safe_ports port 85
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 563 # https, snews
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>>
>>>> # A acl abaixo faz bloqueio de acesso por IP"
>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>>>
>>>> # A ACL abaixo efetua bloqueio do MSN
>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>>>
>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>>>> avi asf
>>>> acl block_arq urlpath_regex -i  .com$ .exe$ .scr$ .mp3$ .mpeg$  .wma$ .wmv$
>>>> .mpg$ .avi$ .pif$
>>>>
>>>> #acl palavra_download url_regex -i
>>>> "/usr/local/squid/etc/palavra_download-url"
>>>>
>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>>>> /usr/local/squid/etc/libera_almoco
>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco"  #sites
>>>> de "libera_almoco"
>>>> #acl almoco time SMTWHFA 12:00-13:30
>>>>  #libera  acesso  das  12 as 13:30 #de segunda a domingo.
>>>>
>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>>>> governo e Abrapetite
>>>> acl libera_restritos   dstdomain -i "/usr/local/squid/sites_liberados"  #
>>>> Libera alguns sites p/user s/acesso
>>>>
>>>> # ACLs de Controle de Conteúdo
>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>>>> #acl dominio_liberado dstdomain  -i "/usr/local/squid/etc/libera_dominio"
>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>>>> # ACLs_ACTIVE_DIRECTORY
>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>>>> com restrições
>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>>>> padrão
>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>>>> internet
>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>>>> de arquivo com extensões bloqueadas.
>>>>
>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>>>
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> #http_access deny block_ip
>>>>
>>>> http_access allow libera_restritos
>>>> http_access deny  ldapAcessoRestrito
>>>> http_access allow ldapAcessoTotal
>>>> #http_access deny dst_msn
>>>> #http_access allow dominio_liberado
>>>> #http_access allow libera_sites almoco
>>>> #http_access deny dominio_bloqueado
>>>> #http_access allow ldapAcessoDownload block_arq
>>>> #http_access allow ldapAcessoDownload palavra_download
>>>> #http_access allow download_url
>>>> #http_access deny block_arq
>>>> #http_access allow nosex
>>>> #http_access deny sex
>>>> http_access allow ldapAcessoPadrao
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny all
>>>> icp_access allow all
>>>> cache_effective_user squid
>>>> cache_effective_group squid
>>>> visible_hostname proxy.reboucas.autopass.com.br
>>>> unique_hostname proxy.reboucas.autopass.com.br
>>>> append_domain .autopass.com.br
>>>> acl local-servers dstdomain autopass.com.br
>>>> acl local-serverspr dstdomain cmtsp.com.br
>>>> always_direct allow local-servers
>>>> always_direct allow local-serverspr
>>>> #error_directory /usr/local/squid/share/errors/Portuguese
>>>>
>>>>
>>>> access.log:
>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>>>
>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>> > nao consigo usar este tambem.
>>>>> >
>>>>> > ldap_bind: Invalid credentials (49)
>>>>> >        additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>>>> > AcceptSecurityContext error, data 525, v1772
>>>>> > caos#
>>>>> >
>>>>>
>>>>> Pelo que a IBM nos diz, 525 é "user not found":
>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>>>
>>>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>>>> "cn=squid,ou=users,dc=autopass"
>>>>>
>>>>> O programa ldifde pode te ajudar com isso:
>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>>>
>>>>>
>>>>> Att,
>>>>> Vinicius
>>>>> -------------------------
>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>
>>>
>>>
>>> --
>>> Alessandro de Souza Rocha
>>> Administrador de Redes e Sistemas
>>> FreeBSD-BR User #117
>>>             Long live FreeBSD
>>>
>>>                     Powered by ....
>>>
>>>                                          (__)
>>>                                       \\\'',)
>>>                                         \/  \ ^
>>>                                         .\._/_)
>>>
>>>                                     www.FreeBSD.org
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



-- 
Alessandro de Souza Rocha
Administrador de Redes e Sistemas
FreeBSD-BR User #117
             Long live FreeBSD

                     Powered by ....

                                          (__)
                                       \\\'',)
                                         \/  \ ^
                                         .\._/_)

                                     www.FreeBSD.org


Mais detalhes sobre a lista de discussão freebsd