[FUG-BR] Ajuda com squid_ldap_auth

Ricardo Souza ricardo.souza em ti.cmtsp.com.br
Sexta Dezembro 18 16:48:16 BRST 2009 

AEW..


consegui rodar o ldapsearch.

ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
"CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389


# extended LDIF
#
# LDAPv3
# base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# squid, Users, AUTOPASS
dn: CN=squid,CN=Users,DC=AUTOPASS
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: squid
givenName: squid
distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
instanceType: 4
whenCreated: 20091218183503.0Z
whenChanged: 20091218183835.0Z
displayName: squid
uSNCreated: 270480
uSNChanged: 270501
name: squid
objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129056349038798893
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: squid
sAMAccountType: 805306368
userPrincipalName: squid em AUTOPASS
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129056351153699501


Só q o squid_ldap_auth e o group continuam sem retornar nada.

Alguma sugestao?




2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
> esta linha nao esta errada nao.
> # As linhas abaixo se referem a autenticacao de users no AD
> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
> 192.168.9.12:389 (isto e a porta)
>
>
> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>> Agora nao esta dando erro, porem esta me negando tudo.
>>
>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>
>> Meu squid.conf:
>> http_port 192.168.9.10:3128
>> icp_port 3130
>> hierarchy_stoplist cgi-bin ?
>> #acl QUERY urlpath_regex cgi-bin ?
>> #no_cache deny QUERY
>> cache_mem 1500 MB
>> cache_swap_low 90
>> cache_swap_high 95
>> maximum_object_size 9216 KB
>> ipcache_size 1024
>> ipcache_low 90
>> ipcache_high 95
>> fqdncache_size 1024
>> cache_replacement_policy lru
>> memory_replacement_policy lru
>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>> cache_access_log /usr/local/squid/logs/access.log
>> cache_store_log none
>>
>> # As linhas abaixo se referem a autenticacao de users no AD
>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>> 192.168.9.12:389
>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>> 192.168.9.12
>>
>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>> auth_param basic children 5
>> auth_param basic credentialsttl 15 minutes
>>
>> emulate_httpd_log on
>> mime_table /usr/local/etc/squid/mime.conf
>> pid_filename /usr/local/squid/logs/squid.pid
>> ftp_user ftp em autopass.com.br
>> ftp_passive on
>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>
>> # ACL externa para autenticação nas bases LDAP do PDC
>> external_acl_type ldap_group %LOGIN
>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>> -h 192.168.9.12:389
>>
>>
>> #acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl SSL_ports port 443 563 9141
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 81
>> acl Safe_ports port 82
>> acl Safe_ports port 85
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # A acl abaixo faz bloqueio de acesso por IP"
>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>
>> # A ACL abaixo efetua bloqueio do MSN
>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>
>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>> avi asf
>> acl block_arq urlpath_regex -i  .com$ .exe$ .scr$ .mp3$ .mpeg$  .wma$ .wmv$
>> .mpg$ .avi$ .pif$
>>
>> #acl palavra_download url_regex -i
>> "/usr/local/squid/etc/palavra_download-url"
>>
>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>> /usr/local/squid/etc/libera_almoco
>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco"  #sites
>> de "libera_almoco"
>> #acl almoco time SMTWHFA 12:00-13:30
>>  #libera  acesso  das  12 as 13:30 #de segunda a domingo.
>>
>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>> governo e Abrapetite
>> acl libera_restritos   dstdomain -i "/usr/local/squid/sites_liberados"  #
>> Libera alguns sites p/user s/acesso
>>
>> # ACLs de Controle de Conteúdo
>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>> #acl dominio_liberado dstdomain  -i "/usr/local/squid/etc/libera_dominio"
>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>> # ACLs_ACTIVE_DIRECTORY
>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>> com restrições
>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>> padrão
>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>> internet
>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>> de arquivo com extensões bloqueadas.
>>
>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> #http_access deny block_ip
>>
>> http_access allow libera_restritos
>> http_access deny  ldapAcessoRestrito
>> http_access allow ldapAcessoTotal
>> #http_access deny dst_msn
>> #http_access allow dominio_liberado
>> #http_access allow libera_sites almoco
>> #http_access deny dominio_bloqueado
>> #http_access allow ldapAcessoDownload block_arq
>> #http_access allow ldapAcessoDownload palavra_download
>> #http_access allow download_url
>> #http_access deny block_arq
>> #http_access allow nosex
>> #http_access deny sex
>> http_access allow ldapAcessoPadrao
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny all
>> icp_access allow all
>> cache_effective_user squid
>> cache_effective_group squid
>> visible_hostname proxy.reboucas.autopass.com.br
>> unique_hostname proxy.reboucas.autopass.com.br
>> append_domain .autopass.com.br
>> acl local-servers dstdomain autopass.com.br
>> acl local-serverspr dstdomain cmtsp.com.br
>> always_direct allow local-servers
>> always_direct allow local-serverspr
>> #error_directory /usr/local/squid/share/errors/Portuguese
>>
>>
>> access.log:
>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>
>>
>>
>>
>>
>>
>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>
>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>> > nao consigo usar este tambem.
>>> >
>>> > ldap_bind: Invalid credentials (49)
>>> >        additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>> > AcceptSecurityContext error, data 525, v1772
>>> > caos#
>>> >
>>>
>>> Pelo que a IBM nos diz, 525 é "user not found":
>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>
>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>> "cn=squid,ou=users,dc=autopass"
>>>
>>> O programa ldifde pode te ajudar com isso:
>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>
>>>
>>> Att,
>>> Vinicius
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
>
>
> --
> Alessandro de Souza Rocha
> Administrador de Redes e Sistemas
> FreeBSD-BR User #117
>             Long live FreeBSD
>
>                     Powered by ....
>
>                                          (__)
>                                       \\\'',)
>                                         \/  \ ^
>                                         .\._/_)
>
>                                     www.FreeBSD.org
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>

Mais detalhes sobre a lista de discussão freebsd