I’m meeting troubles with Squid Kerberos auth and the Squidguard ldapusersearch who I use to apply acl by Active Directory groups membership.
The problem is :
- Squid and Squidguard see my user as :
user@domain.local
so the ‘%s’ variable of squidguard is'user@domain.local'
- Into my ldap query there is no default property who can interpret this string.
Example :
src ldap { ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local)) }
And sAMAccountName should be only 'user'
and not 'user@domain.local'
!!!
So I found a solution but It’s not very comfortable :
I edit a unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :
src ldap { ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local)) }
And it works !!!
Anyone an idea to bypass the need to create a custom attribute in AD who contents ?
I precise that userPrincipalName
is the same as the email and can’t interpret Kerberos login.
Thanks all !!!
Advertisement
Answer
i am using Squid Version 3.4.5-20140514-r13135 with squidguard 1.5-beta and the strip-domain-realm Patch of Mathieu Parent which is able to strip the Domain and Strip the Realm. So the users appear as “user” and not as “user@KERBEROSDOMAIN”
Here is an exmaple configuration thats working for me
dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard
ldapbinddn squidguard@domain.tld
ldapbindpass squidguardpass
ldapprotover 3
ldapcachetime 2400
stripntdomain true
striprealm true
src users { ldapusersearch “ldap://ldapserver:3268/dc=ADDomain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=SQUID_USERS,OU=Squid_Groups,OU=Groups,DC=ADDomain,DC=com))” }