[FUG-BR] Ajuda com squid_ldap_auth
Ricardo Souza
ricardo.souza em ti.cmtsp.com.br
Sexta Dezembro 18 17:42:42 BRST 2009
Ta melhorando.
caos# squid/usr/local/libexec/squid/squid_ldap_auth -R -b
"dc=autopass" -D "cn=squid,ou=Internet,dc=autopass" -w "squid123qwe"
-f sAMAccountName=%s -h 192.168.9.12 -p
caos# /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
"cn=squid,ou=Internet,dc=autopass" -w "mypass" -f sAMAccountName=%s -h
192.168.9.12 -p
squid mypass
OK
^C
caos#
Agora só falta o group.
2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
> Nao rola.
>
> O grande lance ali foi a sugestao de usar -s sub para procurar em
> todos os escopos.
>
> Agora eu obtenho o erro: squid_ldap_auth: WARNING, LDAP search error
> 'Operations error'
>
>
> /usr/local/libexec/squid/squid_ldap_auth -b "CN=USers,DC=AUTOPASS" -v
> 3 -R -h 192.168.9.12 -p 389 -f "uid=%s" -s sub
> squid mypass
> squid_ldap_auth: WARNING, LDAP search error 'Operations error'
> ERR Success
> ^C
>
>
> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>> http://www.mail-archive.com/freebsd@fug.com.br/msg37677.html
>>
>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>> caos# /usr/local/libexec/squid/squid_ldap_group -R -b
>>> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w
>>> "mypass" -f "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>> -h 192.168.9.12:389
>>> USERID squid PASSWORD mypas
>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>> ERR
>>> ^C
>>> caos#
>>>
>>> Estou quase lá!
>>>
>>>
>>>
>>>
>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>> AEW..
>>>>
>>>>
>>>> consegui rodar o ldapsearch.
>>>>
>>>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
>>>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389
>>>>
>>>>
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
>>>> # filter: (objectclass=*)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # squid, Users, AUTOPASS
>>>> dn: CN=squid,CN=Users,DC=AUTOPASS
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: squid
>>>> givenName: squid
>>>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
>>>> instanceType: 4
>>>> whenCreated: 20091218183503.0Z
>>>> whenChanged: 20091218183835.0Z
>>>> displayName: squid
>>>> uSNCreated: 270480
>>>> uSNChanged: 270501
>>>> name: squid
>>>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
>>>> userAccountControl: 66048
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> pwdLastSet: 129056349038798893
>>>> primaryGroupID: 513
>>>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: squid
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: squid em AUTOPASS
>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
>>>> dSCorePropagationData: 16010101000000.0Z
>>>> lastLogonTimestamp: 129056351153699501
>>>>
>>>>
>>>> Só q o squid_ldap_auth e o group continuam sem retornar nada.
>>>>
>>>> Alguma sugestao?
>>>>
>>>>
>>>>
>>>>
>>>> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>>>>> esta linha nao esta errada nao.
>>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>>> 192.168.9.12:389 (isto e a porta)
>>>>>
>>>>>
>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>>> Agora nao esta dando erro, porem esta me negando tudo.
>>>>>>
>>>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>>>>>
>>>>>> Meu squid.conf:
>>>>>> http_port 192.168.9.10:3128
>>>>>> icp_port 3130
>>>>>> hierarchy_stoplist cgi-bin ?
>>>>>> #acl QUERY urlpath_regex cgi-bin ?
>>>>>> #no_cache deny QUERY
>>>>>> cache_mem 1500 MB
>>>>>> cache_swap_low 90
>>>>>> cache_swap_high 95
>>>>>> maximum_object_size 9216 KB
>>>>>> ipcache_size 1024
>>>>>> ipcache_low 90
>>>>>> ipcache_high 95
>>>>>> fqdncache_size 1024
>>>>>> cache_replacement_policy lru
>>>>>> memory_replacement_policy lru
>>>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>>>>>> cache_access_log /usr/local/squid/logs/access.log
>>>>>> cache_store_log none
>>>>>>
>>>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>>>> 192.168.9.12:389
>>>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>>>>>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>>>>>> 192.168.9.12
>>>>>>
>>>>>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>>>>>> auth_param basic children 5
>>>>>> auth_param basic credentialsttl 15 minutes
>>>>>>
>>>>>> emulate_httpd_log on
>>>>>> mime_table /usr/local/etc/squid/mime.conf
>>>>>> pid_filename /usr/local/squid/logs/squid.pid
>>>>>> ftp_user ftp em autopass.com.br
>>>>>> ftp_passive on
>>>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>>>>>
>>>>>> # ACL externa para autenticação nas bases LDAP do PDC
>>>>>> external_acl_type ldap_group %LOGIN
>>>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>>>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>>>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>>>>> -h 192.168.9.12:389
>>>>>>
>>>>>>
>>>>>> #acl all src 0.0.0.0/0.0.0.0
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>>> acl SSL_ports port 443 563 9141
>>>>>> acl Safe_ports port 80 # http
>>>>>> acl Safe_ports port 81
>>>>>> acl Safe_ports port 82
>>>>>> acl Safe_ports port 85
>>>>>> acl Safe_ports port 21 # ftp
>>>>>> acl Safe_ports port 443 563 # https, snews
>>>>>> acl Safe_ports port 70 # gopher
>>>>>> acl Safe_ports port 210 # wais
>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>> acl Safe_ports port 488 # gss-http
>>>>>> acl Safe_ports port 591 # filemaker
>>>>>> acl Safe_ports port 777 # multiling http
>>>>>> acl CONNECT method CONNECT
>>>>>>
>>>>>> # A acl abaixo faz bloqueio de acesso por IP"
>>>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>>>>>
>>>>>> # A ACL abaixo efetua bloqueio do MSN
>>>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>>>>>
>>>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>>>>>> avi asf
>>>>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$
>>>>>> .mpg$ .avi$ .pif$
>>>>>>
>>>>>> #acl palavra_download url_regex -i
>>>>>> "/usr/local/squid/etc/palavra_download-url"
>>>>>>
>>>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>>>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>>>>>> /usr/local/squid/etc/libera_almoco
>>>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites
>>>>>> de "libera_almoco"
>>>>>> #acl almoco time SMTWHFA 12:00-13:30
>>>>>> #libera acesso das 12 as 13:30 #de segunda a domingo.
>>>>>>
>>>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>>>>>> governo e Abrapetite
>>>>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" #
>>>>>> Libera alguns sites p/user s/acesso
>>>>>>
>>>>>> # ACLs de Controle de Conteúdo
>>>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>>>>>> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio"
>>>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>>>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>>>>>> # ACLs_ACTIVE_DIRECTORY
>>>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>>>>>> com restrições
>>>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>>>>>> padrão
>>>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>>>>>> internet
>>>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>>>>>> de arquivo com extensões bloqueadas.
>>>>>>
>>>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>>>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>>>>>
>>>>>> http_access deny !Safe_ports
>>>>>> http_access deny CONNECT !SSL_ports
>>>>>> #http_access deny block_ip
>>>>>>
>>>>>> http_access allow libera_restritos
>>>>>> http_access deny ldapAcessoRestrito
>>>>>> http_access allow ldapAcessoTotal
>>>>>> #http_access deny dst_msn
>>>>>> #http_access allow dominio_liberado
>>>>>> #http_access allow libera_sites almoco
>>>>>> #http_access deny dominio_bloqueado
>>>>>> #http_access allow ldapAcessoDownload block_arq
>>>>>> #http_access allow ldapAcessoDownload palavra_download
>>>>>> #http_access allow download_url
>>>>>> #http_access deny block_arq
>>>>>> #http_access allow nosex
>>>>>> #http_access deny sex
>>>>>> http_access allow ldapAcessoPadrao
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access deny all
>>>>>> icp_access allow all
>>>>>> cache_effective_user squid
>>>>>> cache_effective_group squid
>>>>>> visible_hostname proxy.reboucas.autopass.com.br
>>>>>> unique_hostname proxy.reboucas.autopass.com.br
>>>>>> append_domain .autopass.com.br
>>>>>> acl local-servers dstdomain autopass.com.br
>>>>>> acl local-serverspr dstdomain cmtsp.com.br
>>>>>> always_direct allow local-servers
>>>>>> always_direct allow local-serverspr
>>>>>> #error_directory /usr/local/squid/share/errors/Portuguese
>>>>>>
>>>>>>
>>>>>> access.log:
>>>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>>>>>
>>>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>>>> > nao consigo usar este tambem.
>>>>>>> >
>>>>>>> > ldap_bind: Invalid credentials (49)
>>>>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>>>>>> > AcceptSecurityContext error, data 525, v1772
>>>>>>> > caos#
>>>>>>> >
>>>>>>>
>>>>>>> Pelo que a IBM nos diz, 525 é "user not found":
>>>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>>>>>
>>>>>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>>>>>> "cn=squid,ou=users,dc=autopass"
>>>>>>>
>>>>>>> O programa ldifde pode te ajudar com isso:
>>>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>>>>>
>>>>>>>
>>>>>>> Att,
>>>>>>> Vinicius
>>>>>>> -------------------------
>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>
>>>>>> -------------------------
>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Alessandro de Souza Rocha
>>>>> Administrador de Redes e Sistemas
>>>>> FreeBSD-BR User #117
>>>>> Long live FreeBSD
>>>>>
>>>>> Powered by ....
>>>>>
>>>>> (__)
>>>>> \\\'',)
>>>>> \/ \ ^
>>>>> .\._/_)
>>>>>
>>>>> www.FreeBSD.org
>>>>> -------------------------
>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>
>>>>
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>
>>
>>
>> --
>> Alessandro de Souza Rocha
>> Administrador de Redes e Sistemas
>> FreeBSD-BR User #117
>> Long live FreeBSD
>>
>> Powered by ....
>>
>> (__)
>> \\\'',)
>> \/ \ ^
>> .\._/_)
>>
>> www.FreeBSD.org
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
Mais detalhes sobre a lista de discussão freebsd