[FUG-BR] Ajuda com squid_ldap_auth
Ricardo Souza
ricardo.souza em ti.cmtsp.com.br
Sábado Dezembro 19 09:25:21 BRST 2009
Alguem ai usa o squid_ldap_group fazendo query num AD no windows 2008?
O user do squid está em
Ou=Internet,DC=AUTOPASS.
Nao consigo fazer a query.
caos# /usr/local/libexec/squid/squid_ldap_group -b
"CN=squid,OU=Internet,DC=autopass" -D
"cn=squid,ou=internet,dc=autopass" -w "mypass" -f '(&(uid=%u))' -h
192.168.9.12 -p 389 -v3
squid mypass
ERR
2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
> Ta melhorando.
>
> caos# squid/usr/local/libexec/squid/squid_ldap_auth -R -b
> "dc=autopass" -D "cn=squid,ou=Internet,dc=autopass" -w "squid123qwe"
> -f sAMAccountName=%s -h 192.168.9.12 -p
> caos# /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
> "cn=squid,ou=Internet,dc=autopass" -w "mypass" -f sAMAccountName=%s -h
> 192.168.9.12 -p
> squid mypass
> OK
> ^C
> caos#
>
>
> Agora só falta o group.
>
>
>
>
> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>> Nao rola.
>>
>> O grande lance ali foi a sugestao de usar -s sub para procurar em
>> todos os escopos.
>>
>> Agora eu obtenho o erro: squid_ldap_auth: WARNING, LDAP search error
>> 'Operations error'
>>
>>
>> /usr/local/libexec/squid/squid_ldap_auth -b "CN=USers,DC=AUTOPASS" -v
>> 3 -R -h 192.168.9.12 -p 389 -f "uid=%s" -s sub
>> squid mypass
>> squid_ldap_auth: WARNING, LDAP search error 'Operations error'
>> ERR Success
>> ^C
>>
>>
>> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>>> http://www.mail-archive.com/freebsd@fug.com.br/msg37677.html
>>>
>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>> caos# /usr/local/libexec/squid/squid_ldap_group -R -b
>>>> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w
>>>> "mypass" -f "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>>> -h 192.168.9.12:389
>>>> USERID squid PASSWORD mypas
>>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>>> squid_ldap_group WARNING, LDAP search error 'No such object'
>>>> ERR
>>>> ^C
>>>> caos#
>>>>
>>>> Estou quase lá!
>>>>
>>>>
>>>>
>>>>
>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>> AEW..
>>>>>
>>>>>
>>>>> consegui rodar o ldapsearch.
>>>>>
>>>>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D
>>>>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389
>>>>>
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree
>>>>> # filter: (objectclass=*)
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # squid, Users, AUTOPASS
>>>>> dn: CN=squid,CN=Users,DC=AUTOPASS
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: squid
>>>>> givenName: squid
>>>>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS
>>>>> instanceType: 4
>>>>> whenCreated: 20091218183503.0Z
>>>>> whenChanged: 20091218183835.0Z
>>>>> displayName: squid
>>>>> uSNCreated: 270480
>>>>> uSNChanged: 270501
>>>>> name: squid
>>>>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA==
>>>>> userAccountControl: 66048
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> pwdLastSet: 129056349038798893
>>>>> primaryGroupID: 513
>>>>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA==
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: squid
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: squid em AUTOPASS
>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS
>>>>> dSCorePropagationData: 16010101000000.0Z
>>>>> lastLogonTimestamp: 129056351153699501
>>>>>
>>>>>
>>>>> Só q o squid_ldap_auth e o group continuam sem retornar nada.
>>>>>
>>>>> Alguma sugestao?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2009/12/18 Alessandro de Souza Rocha <etherlinkii em gmail.com>:
>>>>>> esta linha nao esta errada nao.
>>>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>>>> 192.168.9.12:389 (isto e a porta)
>>>>>>
>>>>>>
>>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>>>> Agora nao esta dando erro, porem esta me negando tudo.
>>>>>>>
>>>>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil.
>>>>>>>
>>>>>>> Meu squid.conf:
>>>>>>> http_port 192.168.9.10:3128
>>>>>>> icp_port 3130
>>>>>>> hierarchy_stoplist cgi-bin ?
>>>>>>> #acl QUERY urlpath_regex cgi-bin ?
>>>>>>> #no_cache deny QUERY
>>>>>>> cache_mem 1500 MB
>>>>>>> cache_swap_low 90
>>>>>>> cache_swap_high 95
>>>>>>> maximum_object_size 9216 KB
>>>>>>> ipcache_size 1024
>>>>>>> ipcache_low 90
>>>>>>> ipcache_high 95
>>>>>>> fqdncache_size 1024
>>>>>>> cache_replacement_policy lru
>>>>>>> memory_replacement_policy lru
>>>>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100
>>>>>>> cache_access_log /usr/local/squid/logs/access.log
>>>>>>> cache_store_log none
>>>>>>>
>>>>>>> # As linhas abaixo se referem a autenticacao de users no AD
>>>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
>>>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h
>>>>>>> 192.168.9.12:389
>>>>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D
>>>>>>> "dc=autopass,cn=squid em autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h
>>>>>>> 192.168.9.12
>>>>>>>
>>>>>>> auth_param basic realm Este acesso será registrado Digite sua login e senha
>>>>>>> auth_param basic children 5
>>>>>>> auth_param basic credentialsttl 15 minutes
>>>>>>>
>>>>>>> emulate_httpd_log on
>>>>>>> mime_table /usr/local/etc/squid/mime.conf
>>>>>>> pid_filename /usr/local/squid/logs/squid.pid
>>>>>>> ftp_user ftp em autopass.com.br
>>>>>>> ftp_passive on
>>>>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd
>>>>>>>
>>>>>>> # ACL externa para autenticação nas bases LDAP do PDC
>>>>>>> external_acl_type ldap_group %LOGIN
>>>>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D
>>>>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f
>>>>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))"
>>>>>>> -h 192.168.9.12:389
>>>>>>>
>>>>>>>
>>>>>>> #acl all src 0.0.0.0/0.0.0.0
>>>>>>> acl manager proto cache_object
>>>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>>>> acl SSL_ports port 443 563 9141
>>>>>>> acl Safe_ports port 80 # http
>>>>>>> acl Safe_ports port 81
>>>>>>> acl Safe_ports port 82
>>>>>>> acl Safe_ports port 85
>>>>>>> acl Safe_ports port 21 # ftp
>>>>>>> acl Safe_ports port 443 563 # https, snews
>>>>>>> acl Safe_ports port 70 # gopher
>>>>>>> acl Safe_ports port 210 # wais
>>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>>> acl Safe_ports port 488 # gss-http
>>>>>>> acl Safe_ports port 591 # filemaker
>>>>>>> acl Safe_ports port 777 # multiling http
>>>>>>> acl CONNECT method CONNECT
>>>>>>>
>>>>>>> # A acl abaixo faz bloqueio de acesso por IP"
>>>>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados"
>>>>>>>
>>>>>>> # A ACL abaixo efetua bloqueio do MSN
>>>>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain"
>>>>>>>
>>>>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg
>>>>>>> avi asf
>>>>>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$
>>>>>>> .mpg$ .avi$ .pif$
>>>>>>>
>>>>>>> #acl palavra_download url_regex -i
>>>>>>> "/usr/local/squid/etc/palavra_download-url"
>>>>>>>
>>>>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30
>>>>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo
>>>>>>> /usr/local/squid/etc/libera_almoco
>>>>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites
>>>>>>> de "libera_almoco"
>>>>>>> #acl almoco time SMTWHFA 12:00-13:30
>>>>>>> #libera acesso das 12 as 13:30 #de segunda a domingo.
>>>>>>>
>>>>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos,
>>>>>>> governo e Abrapetite
>>>>>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" #
>>>>>>> Libera alguns sites p/user s/acesso
>>>>>>>
>>>>>>> # ACLs de Controle de Conteúdo
>>>>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio"
>>>>>>> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio"
>>>>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno"
>>>>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno"
>>>>>>> # ACLs_ACTIVE_DIRECTORY
>>>>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso
>>>>>>> com restrições
>>>>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet
>>>>>>> padrão
>>>>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a
>>>>>>> internet
>>>>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download
>>>>>>> de arquivo com extensões bloqueadas.
>>>>>>>
>>>>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao
>>>>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url"
>>>>>>>
>>>>>>> http_access deny !Safe_ports
>>>>>>> http_access deny CONNECT !SSL_ports
>>>>>>> #http_access deny block_ip
>>>>>>>
>>>>>>> http_access allow libera_restritos
>>>>>>> http_access deny ldapAcessoRestrito
>>>>>>> http_access allow ldapAcessoTotal
>>>>>>> #http_access deny dst_msn
>>>>>>> #http_access allow dominio_liberado
>>>>>>> #http_access allow libera_sites almoco
>>>>>>> #http_access deny dominio_bloqueado
>>>>>>> #http_access allow ldapAcessoDownload block_arq
>>>>>>> #http_access allow ldapAcessoDownload palavra_download
>>>>>>> #http_access allow download_url
>>>>>>> #http_access deny block_arq
>>>>>>> #http_access allow nosex
>>>>>>> #http_access deny sex
>>>>>>> http_access allow ldapAcessoPadrao
>>>>>>> http_access allow manager localhost
>>>>>>> http_access deny manager
>>>>>>> http_access deny all
>>>>>>> icp_access allow all
>>>>>>> cache_effective_user squid
>>>>>>> cache_effective_group squid
>>>>>>> visible_hostname proxy.reboucas.autopass.com.br
>>>>>>> unique_hostname proxy.reboucas.autopass.com.br
>>>>>>> append_domain .autopass.com.br
>>>>>>> acl local-servers dstdomain autopass.com.br
>>>>>>> acl local-serverspr dstdomain cmtsp.com.br
>>>>>>> always_direct allow local-servers
>>>>>>> always_direct allow local-serverspr
>>>>>>> #error_directory /usr/local/squid/share/errors/Portuguese
>>>>>>>
>>>>>>>
>>>>>>> access.log:
>>>>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
>>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
>>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2009/12/18 Vinicius Abrahao <vinnix.bsd em gmail.com>
>>>>>>>
>>>>>>>> 2009/12/18 Ricardo Souza <ricardo.souza em ti.cmtsp.com.br>:
>>>>>>>> > nao consigo usar este tambem.
>>>>>>>> >
>>>>>>>> > ldap_bind: Invalid credentials (49)
>>>>>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>>>>>>>> > AcceptSecurityContext error, data 525, v1772
>>>>>>>> > caos#
>>>>>>>> >
>>>>>>>>
>>>>>>>> Pelo que a IBM nos diz, 525 é "user not found":
>>>>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>>>>>>>>
>>>>>>>> Tenta confirmar que tua arvore LDAP está realmente assim:
>>>>>>>> "cn=squid,ou=users,dc=autopass"
>>>>>>>>
>>>>>>>> O programa ldifde pode te ajudar com isso:
>>>>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm
>>>>>>>>
>>>>>>>>
>>>>>>>> Att,
>>>>>>>> Vinicius
>>>>>>>> -------------------------
>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>
>>>>>>> -------------------------
>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Alessandro de Souza Rocha
>>>>>> Administrador de Redes e Sistemas
>>>>>> FreeBSD-BR User #117
>>>>>> Long live FreeBSD
>>>>>>
>>>>>> Powered by ....
>>>>>>
>>>>>> (__)
>>>>>> \\\'',)
>>>>>> \/ \ ^
>>>>>> .\._/_)
>>>>>>
>>>>>> www.FreeBSD.org
>>>>>> -------------------------
>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>
>>>>>
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>
>>>
>>>
>>> --
>>> Alessandro de Souza Rocha
>>> Administrador de Redes e Sistemas
>>> FreeBSD-BR User #117
>>> Long live FreeBSD
>>>
>>> Powered by ....
>>>
>>> (__)
>>> \\\'',)
>>> \/ \ ^
>>> .\._/_)
>>>
>>> www.FreeBSD.org
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>
>
Mais detalhes sobre a lista de discussão freebsd