0

I'm having trouble with Squid Kerberos auth and the Squidguard ldapusersearch that I use to apply ACLs by Active Directory groups membership.

The problem is :

  • Squid and Squidguard see my user as : user@domain.local so the '%s' variable of squidguard is 'user@domain.local'
  • In my ldap query there is no default property that can interpret this string.

Example :

src ldap {
        ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}

And sAMAccountName should be only 'user' and not 'user@domain.local' !!!

So I found a solution but It's not very comfortable :

I edit an unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :

src ldap {
        ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}

And it works !!!

Anyone have an idea to bypass the need to create a custom attribute in AD who contents ?

And by the way userPrincipalName is the same as the email and can't interpret Kerberos login.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Timothée Christin
  • 1
  • 1

2 Answers2

1

I got this to work in my environment by querying LDAP for the userPrincipalName instead of sAMAccountName as my squid also returns user@domain.local from Kerberos/NTLM auth.

Also be sure to use %20 instead of spaces and when I was specifying the bind DN in my conf file, I used quotes as it had an & in the DN and squidguard was not binding because of it.

Steven Rundle
  • 11
  • 1
-1

You can use the "userlist = userlist" (/ var / squidGuard / userlist) instead of "user = foo bar"

Sergey
  • 1