esta linha nao esta errada nao. # As linhas abaixo se referem a autenticacao de users no AD auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h 192.168.9.12:389 (isto e a porta)
2009/12/18 Ricardo Souza <[email protected]>: > Agora nao esta dando erro, porem esta me negando tudo. > > Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil. > > Meu squid.conf: > http_port 192.168.9.10:3128 > icp_port 3130 > hierarchy_stoplist cgi-bin ? > #acl QUERY urlpath_regex cgi-bin ? > #no_cache deny QUERY > cache_mem 1500 MB > cache_swap_low 90 > cache_swap_high 95 > maximum_object_size 9216 KB > ipcache_size 1024 > ipcache_low 90 > ipcache_high 95 > fqdncache_size 1024 > cache_replacement_policy lru > memory_replacement_policy lru > cache_dir ufs /usr/local/squid/cache 2500 16 100 > cache_access_log /usr/local/squid/logs/access.log > cache_store_log none > > # As linhas abaixo se referem a autenticacao de users no AD > auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b > "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h > 192.168.9.12:389 > #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D > "dc=autopass,cn=sq...@autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h > 192.168.9.12 > > auth_param basic realm Este acesso será registrado Digite sua login e senha > auth_param basic children 5 > auth_param basic credentialsttl 15 minutes > > emulate_httpd_log on > mime_table /usr/local/etc/squid/mime.conf > pid_filename /usr/local/squid/logs/squid.pid > ftp_user [email protected] > ftp_passive on > #unlinkd_program /usr/local/squid/libexec/unlinkd > > # ACL externa para autenticação nas bases LDAP do PDC > external_acl_type ldap_group %LOGIN > /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D > "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))" > -h 192.168.9.12:389 > > > #acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl SSL_ports port 443 563 9141 > acl Safe_ports port 80 # http > acl Safe_ports port 81 > acl Safe_ports port 82 > acl Safe_ports port 85 > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # A acl abaixo faz bloqueio de acesso por IP" > #acl block_ip src "/usr/local/squid/etc/ips_bloqueados" > > # A ACL abaixo efetua bloqueio do MSN > #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain" > > # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg > avi asf > acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$ > .mpg$ .avi$ .pif$ > > #acl palavra_download url_regex -i > "/usr/local/squid/etc/palavra_download-url" > > # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30 > # Inserir os sites a serem liberados das 12 as 13 no arquivo > /usr/local/squid/etc/libera_almoco > #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites > de "libera_almoco" > #acl almoco time SMTWHFA 12:00-13:30 > #libera acesso das 12 as 13:30 #de segunda a domingo. > > # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos, > governo e Abrapetite > acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" # > Libera alguns sites p/user s/acesso > > # ACLs de Controle de Conteúdo > #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio" > #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio" > #acl sex url_regex -i "/usr/local/squid/etc/porno" > #acl nosex url_regex -i "/usr/local/squid/etc/naoporno" > # ACLs_ACTIVE_DIRECTORY > acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso > com restrições > acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet > padrão > acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a > internet > acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download > de arquivo com extensões bloqueadas. > > # A ACL abaixo desbloqueia download para o grupo AcessoPadrao > #acl download_url url_regex "/usr/local/squid/etc/libera_download-url" > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > #http_access deny block_ip > > http_access allow libera_restritos > http_access deny ldapAcessoRestrito > http_access allow ldapAcessoTotal > #http_access deny dst_msn > #http_access allow dominio_liberado > #http_access allow libera_sites almoco > #http_access deny dominio_bloqueado > #http_access allow ldapAcessoDownload block_arq > #http_access allow ldapAcessoDownload palavra_download > #http_access allow download_url > #http_access deny block_arq > #http_access allow nosex > #http_access deny sex > http_access allow ldapAcessoPadrao > http_access allow manager localhost > http_access deny manager > http_access deny all > icp_access allow all > cache_effective_user squid > cache_effective_group squid > visible_hostname proxy.reboucas.autopass.com.br > unique_hostname proxy.reboucas.autopass.com.br > append_domain .autopass.com.br > acl local-servers dstdomain autopass.com.br > acl local-serverspr dstdomain cmtsp.com.br > always_direct allow local-servers > always_direct allow local-serverspr > #error_directory /usr/local/squid/share/errors/Portuguese > > > access.log: > 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET > http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE > 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET > http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE > 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET > http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE > > > > > > > 2009/12/18 Vinicius Abrahao <[email protected]> > >> 2009/12/18 Ricardo Souza <[email protected]>: >> > nao consigo usar este tambem. >> > >> > ldap_bind: Invalid credentials (49) >> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment: >> > AcceptSecurityContext error, data 525, v1772 >> > caos# >> > >> >> Pelo que a IBM nos diz, 525 é "user not found": >> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631 >> >> Tenta confirmar que tua arvore LDAP está realmente assim: >> "cn=squid,ou=users,dc=autopass" >> >> O programa ldifde pode te ajudar com isso: >> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm >> >> >> Att, >> Vinicius >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > -- Alessandro de Souza Rocha Administrador de Redes e Sistemas FreeBSD-BR User #117 Long live FreeBSD Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
