Nao rola. O grande lance ali foi a sugestao de usar -s sub para procurar em todos os escopos.
Agora eu obtenho o erro: squid_ldap_auth: WARNING, LDAP search error 'Operations error' /usr/local/libexec/squid/squid_ldap_auth -b "CN=USers,DC=AUTOPASS" -v 3 -R -h 192.168.9.12 -p 389 -f "uid=%s" -s sub squid mypass squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success ^C 2009/12/18 Alessandro de Souza Rocha <[email protected]>: > http://www.mail-archive.com/[email protected]/msg37677.html > > 2009/12/18 Ricardo Souza <[email protected]>: >> caos# /usr/local/libexec/squid/squid_ldap_group -R -b >> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w >> "mypass" -f >> "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))" >> -h 192.168.9.12:389 >> USERID squid PASSWORD mypas >> squid_ldap_group WARNING, LDAP search error 'No such object' >> squid_ldap_group WARNING, LDAP search error 'No such object' >> squid_ldap_group WARNING, LDAP search error 'No such object' >> ERR >> ^C >> caos# >> >> Estou quase lá! >> >> >> >> >> 2009/12/18 Ricardo Souza <[email protected]>: >>> AEW.. >>> >>> >>> consegui rodar o ldapsearch. >>> >>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D >>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389 >>> >>> >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # squid, Users, AUTOPASS >>> dn: CN=squid,CN=Users,DC=AUTOPASS >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn: squid >>> givenName: squid >>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS >>> instanceType: 4 >>> whenCreated: 20091218183503.0Z >>> whenChanged: 20091218183835.0Z >>> displayName: squid >>> uSNCreated: 270480 >>> uSNChanged: 270501 >>> name: squid >>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA== >>> userAccountControl: 66048 >>> badPwdCount: 0 >>> codePage: 0 >>> countryCode: 0 >>> badPasswordTime: 0 >>> lastLogoff: 0 >>> lastLogon: 0 >>> pwdLastSet: 129056349038798893 >>> primaryGroupID: 513 >>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA== >>> accountExpires: 9223372036854775807 >>> logonCount: 0 >>> sAMAccountName: squid >>> sAMAccountType: 805306368 >>> userPrincipalName: sq...@autopass >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS >>> dSCorePropagationData: 16010101000000.0Z >>> lastLogonTimestamp: 129056351153699501 >>> >>> >>> Só q o squid_ldap_auth e o group continuam sem retornar nada. >>> >>> Alguma sugestao? >>> >>> >>> >>> >>> 2009/12/18 Alessandro de Souza Rocha <[email protected]>: >>>> esta linha nao esta errada nao. >>>> # As linhas abaixo se referem a autenticacao de users no AD >>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b >>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h >>>> 192.168.9.12:389 (isto e a porta) >>>> >>>> >>>> 2009/12/18 Ricardo Souza <[email protected]>: >>>>> Agora nao esta dando erro, porem esta me negando tudo. >>>>> >>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil. >>>>> >>>>> Meu squid.conf: >>>>> http_port 192.168.9.10:3128 >>>>> icp_port 3130 >>>>> hierarchy_stoplist cgi-bin ? >>>>> #acl QUERY urlpath_regex cgi-bin ? >>>>> #no_cache deny QUERY >>>>> cache_mem 1500 MB >>>>> cache_swap_low 90 >>>>> cache_swap_high 95 >>>>> maximum_object_size 9216 KB >>>>> ipcache_size 1024 >>>>> ipcache_low 90 >>>>> ipcache_high 95 >>>>> fqdncache_size 1024 >>>>> cache_replacement_policy lru >>>>> memory_replacement_policy lru >>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100 >>>>> cache_access_log /usr/local/squid/logs/access.log >>>>> cache_store_log none >>>>> >>>>> # As linhas abaixo se referem a autenticacao de users no AD >>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b >>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h >>>>> 192.168.9.12:389 >>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D >>>>> "dc=autopass,cn=sq...@autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h >>>>> 192.168.9.12 >>>>> >>>>> auth_param basic realm Este acesso será registrado Digite sua login e >>>>> senha >>>>> auth_param basic children 5 >>>>> auth_param basic credentialsttl 15 minutes >>>>> >>>>> emulate_httpd_log on >>>>> mime_table /usr/local/etc/squid/mime.conf >>>>> pid_filename /usr/local/squid/logs/squid.pid >>>>> ftp_user [email protected] >>>>> ftp_passive on >>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd >>>>> >>>>> # ACL externa para autenticação nas bases LDAP do PDC >>>>> external_acl_type ldap_group %LOGIN >>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D >>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f >>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))" >>>>> -h 192.168.9.12:389 >>>>> >>>>> >>>>> #acl all src 0.0.0.0/0.0.0.0 >>>>> acl manager proto cache_object >>>>> acl localhost src 127.0.0.1/255.255.255.255 >>>>> acl SSL_ports port 443 563 9141 >>>>> acl Safe_ports port 80 # http >>>>> acl Safe_ports port 81 >>>>> acl Safe_ports port 82 >>>>> acl Safe_ports port 85 >>>>> acl Safe_ports port 21 # ftp >>>>> acl Safe_ports port 443 563 # https, snews >>>>> acl Safe_ports port 70 # gopher >>>>> acl Safe_ports port 210 # wais >>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>> acl Safe_ports port 280 # http-mgmt >>>>> acl Safe_ports port 488 # gss-http >>>>> acl Safe_ports port 591 # filemaker >>>>> acl Safe_ports port 777 # multiling http >>>>> acl CONNECT method CONNECT >>>>> >>>>> # A acl abaixo faz bloqueio de acesso por IP" >>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados" >>>>> >>>>> # A ACL abaixo efetua bloqueio do MSN >>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain" >>>>> >>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv >>>>> mpg >>>>> avi asf >>>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ >>>>> .wmv$ >>>>> .mpg$ .avi$ .pif$ >>>>> >>>>> #acl palavra_download url_regex -i >>>>> "/usr/local/squid/etc/palavra_download-url" >>>>> >>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30 >>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo >>>>> /usr/local/squid/etc/libera_almoco >>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" >>>>> #sites >>>>> de "libera_almoco" >>>>> #acl almoco time SMTWHFA 12:00-13:30 >>>>> #libera acesso das 12 as 13:30 #de segunda a domingo. >>>>> >>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como >>>>> bancos, >>>>> governo e Abrapetite >>>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" # >>>>> Libera alguns sites p/user s/acesso >>>>> >>>>> # ACLs de Controle de Conteúdo >>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio" >>>>> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio" >>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno" >>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno" >>>>> # ACLs_ACTIVE_DIRECTORY >>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de >>>>> acesso >>>>> com restrições >>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet >>>>> padrão >>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a >>>>> internet >>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera >>>>> download >>>>> de arquivo com extensões bloqueadas. >>>>> >>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao >>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url" >>>>> >>>>> http_access deny !Safe_ports >>>>> http_access deny CONNECT !SSL_ports >>>>> #http_access deny block_ip >>>>> >>>>> http_access allow libera_restritos >>>>> http_access deny ldapAcessoRestrito >>>>> http_access allow ldapAcessoTotal >>>>> #http_access deny dst_msn >>>>> #http_access allow dominio_liberado >>>>> #http_access allow libera_sites almoco >>>>> #http_access deny dominio_bloqueado >>>>> #http_access allow ldapAcessoDownload block_arq >>>>> #http_access allow ldapAcessoDownload palavra_download >>>>> #http_access allow download_url >>>>> #http_access deny block_arq >>>>> #http_access allow nosex >>>>> #http_access deny sex >>>>> http_access allow ldapAcessoPadrao >>>>> http_access allow manager localhost >>>>> http_access deny manager >>>>> http_access deny all >>>>> icp_access allow all >>>>> cache_effective_user squid >>>>> cache_effective_group squid >>>>> visible_hostname proxy.reboucas.autopass.com.br >>>>> unique_hostname proxy.reboucas.autopass.com.br >>>>> append_domain .autopass.com.br >>>>> acl local-servers dstdomain autopass.com.br >>>>> acl local-serverspr dstdomain cmtsp.com.br >>>>> always_direct allow local-servers >>>>> always_direct allow local-serverspr >>>>> #error_directory /usr/local/squid/share/errors/Portuguese >>>>> >>>>> >>>>> access.log: >>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET >>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2009/12/18 Vinicius Abrahao <[email protected]> >>>>> >>>>>> 2009/12/18 Ricardo Souza <[email protected]>: >>>>>> > nao consigo usar este tambem. >>>>>> > >>>>>> > ldap_bind: Invalid credentials (49) >>>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment: >>>>>> > AcceptSecurityContext error, data 525, v1772 >>>>>> > caos# >>>>>> > >>>>>> >>>>>> Pelo que a IBM nos diz, 525 é "user not found": >>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631 >>>>>> >>>>>> Tenta confirmar que tua arvore LDAP está realmente assim: >>>>>> "cn=squid,ou=users,dc=autopass" >>>>>> >>>>>> O programa ldifde pode te ajudar com isso: >>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm >>>>>> >>>>>> >>>>>> Att, >>>>>> Vinicius >>>>>> ------------------------- >>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>> >>>>> ------------------------- >>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>> >>>> >>>> >>>> >>>> -- >>>> Alessandro de Souza Rocha >>>> Administrador de Redes e Sistemas >>>> FreeBSD-BR User #117 >>>> Long live FreeBSD >>>> >>>> Powered by .... >>>> >>>> (__) >>>> \\\'',) >>>> \/ \ ^ >>>> .\._/_) >>>> >>>> www.FreeBSD.org >>>> ------------------------- >>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>> >>> >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > > > > -- > Alessandro de Souza Rocha > Administrador de Redes e Sistemas > FreeBSD-BR User #117 > Long live FreeBSD > > Powered by .... > > (__) > \\\'',) > \/ \ ^ > .\._/_) > > www.FreeBSD.org > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
