[FUG-BR] Ajuda com squid_ldap_auth
Ricardo Souza
ricardo.souza em ti.cmtsp.com.br
Sexta Dezembro 18 17:26:29 BRST 2009
Nao rola.
O grande lance ali foi a sugestao de usar -s sub para procurar em
todos os escopos.
Agora eu obtenho o erro: squid_ldap_auth: WARNING, LDAP search error
'Operations error'
/usr/local/libexec/squid/squid_ldap_auth -b "CN=USers,DC=AUTOPASS" -v
3 -R -h 192.168.9.12 -p 389 -f "uid=%s" -s sub
squid mypass
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success
^C
2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
> http://www.mail-archive.com/freebsd@fug.com.br/msg37677.html
>
> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>> caos# /usr/local/libexec/squid/squid_ldap_group -R -b
>> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w
>> "mypass" -f "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))"
>> -h 192.168.9.12:389
>> USERID squid PASSWORD mypas
>> squid_ldap_group WARNING, LDAP search error 'No such object'
>> squid_ldap_group WARNING, LDAP search error 'No such object'
>> squid_ldap_group WARNING, LDAP search error 'No such object'
>> ERR
>> ^C
>> caos#
>>
>> Estou quase lá!
>>
>>
>>
>>
>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>> AEW..
>>>
>>>
>>> consegui rodar o ldapsearch.
>>>
>>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
>>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389
>>>
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # squid, Users, AUTOPASS
>>> dn: CN=squid,CN=Users,DC=AUTOPASS
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: squid
>>> givenName: squid
>>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
>>> instanceType: 4
>>> whenCreated: 20091218183503.0Z
>>> whenChanged: 20091218183835.0Z
>>> displayName: squid
>>> uSNCreated: 270480
>>> uSNChanged: 270501
>>> name: squid
>>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
>>> userAccountControl: 66048
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> pwdLastSet: 129056349038798893
>>> primaryGroupID: 513
>>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: squid
>>> sAMAccountType: 805306368
>>> userPrincipalName: squid em AUTOPASS
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
>>> dSCorePropagationData: 16010101000000.0Z
>>> lastLogonTimestamp: 129056351153699501
>>>
>>>
>>> Só q o squid_ldap_auth e o group continuam sem retornar nada.
>>>
>>> Alguma sugestao?
>>>
>>>
>>>
>>>
>>> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>>>> esta linha nao esta errada nao.
>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>> 192.168.9.12:389 (isto e a porta)
>>>>
>>>>
>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>> Agora nao esta dando erro, porem esta me negando tudo.
>>>>>
>>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>>>>
>>>>> Meu squid.conf:
>>>>> http_port 192.168.9.10:3128
>>>>> icp_port 3130
>>>>> hierarchy_stoplist cgi-bin ?
>>>>> #acl QUERY urlpath_regex cgi-bin ?
>>>>> #no_cache deny QUERY
>>>>> cache_mem 1500 MB
>>>>> cache_swap_low 90
>>>>> cache_swap_high 95
>>>>> maximum_object_size 9216 KB
>>>>> ipcache_size 1024
>>>>> ipcache_low 90
>>>>> ipcache_high 95
>>>>> fqdncache_size 1024
>>>>> cache_replacement_policy lru
>>>>> memory_replacement_policy lru
>>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>>>>> cache_access_log /usr/local/squid/logs/access.log
>>>>> cache_store_log none
>>>>>
>>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>>> 192.168.9.12:389
>>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>>>>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>>>>> 192.168.9.12
>>>>>
>>>>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>>>>> auth_param basic children 5
>>>>> auth_param basic credentialsttl 15 minutes
>>>>>
>>>>> emulate_httpd_log on
>>>>> mime_table /usr/local/etc/squid/mime.conf
>>>>> pid_filename /usr/local/squid/logs/squid.pid
>>>>> ftp_user ftp em autopass.com.br
>>>>> ftp_passive on
>>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>>>>
>>>>> # ACL externa para autenticação nas bases LDAP do PDC
>>>>> external_acl_type ldap_group %LOGIN
>>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>>>> -h 192.168.9.12:389
>>>>>
>>>>>
>>>>> #acl all src 0.0.0.0/0.0.0.0
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>> acl SSL_ports port 443 563 9141
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 81
>>>>> acl Safe_ports port 82
>>>>> acl Safe_ports port 85
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 443 563 # https, snews
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl CONNECT method CONNECT
>>>>>
>>>>> # A acl abaixo faz bloqueio de acesso por IP"
>>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>>>>
>>>>> # A ACL abaixo efetua bloqueio do MSN
>>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>>>>
>>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>>>>> avi asf
>>>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$
>>>>> .mpg$ .avi$ .pif$
>>>>>
>>>>> #acl palavra_download url_regex -i
>>>>> "/usr/local/squid/etc/palavra_download-url"
>>>>>
>>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>>>>> /usr/local/squid/etc/libera_almoco
>>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites
>>>>> de "libera_almoco"
>>>>> #acl almoco time SMTWHFA 12:00-13:30
>>>>> #libera acesso das 12 as 13:30 #de segunda a domingo.
>>>>>
>>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>>>>> governo e Abrapetite
>>>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" #
>>>>> Libera alguns sites p/user s/acesso
>>>>>
>>>>> # ACLs de Controle de Conteúdo
>>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>>>>> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio"
>>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>>>>> # ACLs_ACTIVE_DIRECTORY
>>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>>>>> com restrições
>>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>>>>> padrão
>>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>>>>> internet
>>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>>>>> de arquivo com extensões bloqueadas.
>>>>>
>>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>>>>
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>>> #http_access deny block_ip
>>>>>
>>>>> http_access allow libera_restritos
>>>>> http_access deny ldapAcessoRestrito
>>>>> http_access allow ldapAcessoTotal
>>>>> #http_access deny dst_msn
>>>>> #http_access allow dominio_liberado
>>>>> #http_access allow libera_sites almoco
>>>>> #http_access deny dominio_bloqueado
>>>>> #http_access allow ldapAcessoDownload block_arq
>>>>> #http_access allow ldapAcessoDownload palavra_download
>>>>> #http_access allow download_url
>>>>> #http_access deny block_arq
>>>>> #http_access allow nosex
>>>>> #http_access deny sex
>>>>> http_access allow ldapAcessoPadrao
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access deny all
>>>>> icp_access allow all
>>>>> cache_effective_user squid
>>>>> cache_effective_group squid
>>>>> visible_hostname proxy.reboucas.autopass.com.br
>>>>> unique_hostname proxy.reboucas.autopass.com.br
>>>>> append_domain .autopass.com.br
>>>>> acl local-servers dstdomain autopass.com.br
>>>>> acl local-serverspr dstdomain cmtsp.com.br
>>>>> always_direct allow local-servers
>>>>> always_direct allow local-serverspr
>>>>> #error_directory /usr/local/squid/share/errors/Portuguese
>>>>>
>>>>>
>>>>> access.log:
>>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>>>>
>>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>>> > nao consigo usar este tambem.
>>>>>> >
>>>>>> > ldap_bind: Invalid credentials (49)
>>>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>>>>> > AcceptSecurityContext error, data 525, v1772
>>>>>> > caos#
>>>>>> >
>>>>>>
>>>>>> Pelo que a IBM nos diz, 525 é "user not found":
>>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>>>>
>>>>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>>>>> "cn=squid,ou=users,dc=autopass"
>>>>>>
>>>>>> O programa ldifde pode te ajudar com isso:
>>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>>>>
>>>>>>
>>>>>> Att,
>>>>>> Vinicius
>>>>>> -------------------------
>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>
>>>>> -------------------------
>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Alessandro de Souza Rocha
>>>> Administrador de Redes e Sistemas
>>>> FreeBSD-BR User #117
>>>> Long live FreeBSD
>>>>
>>>> Powered by ....
>>>>
>>>> (__)
>>>> \\\'',)
>>>> \/ \ ^
>>>> .\._/_)
>>>>
>>>> www.FreeBSD.org
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
>
>
> --
> Alessandro de Souza Rocha
> Administrador de Redes e Sistemas
> FreeBSD-BR User #117
> Long live FreeBSD
>
> Powered by ....
>
> (__)
> \\\'',)
> \/ \ ^
> .\._/_)
>
> www.FreeBSD.org
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd