Alguem ai usa o squid_ldap_group fazendo query num AD no windows 2008? O user do squid está em Ou=Internet,DC=AUTOPASS. Nao consigo fazer a query.
caos# /usr/local/libexec/squid/squid_ldap_group -b "CN=squid,OU=Internet,DC=autopass" -D "cn=squid,ou=internet,dc=autopass" -w "mypass" -f '(&(uid=%u))' -h 192.168.9.12 -p 389 -v3 squid mypass ERR 2009/12/18 Ricardo Souza <[email protected]>: > Ta melhorando. > > caos# squid/usr/local/libexec/squid/squid_ldap_auth -R -b > "dc=autopass" -D "cn=squid,ou=Internet,dc=autopass" -w "squid123qwe" > -f sAMAccountName=%s -h 192.168.9.12 -p > caos# /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D > "cn=squid,ou=Internet,dc=autopass" -w "mypass" -f sAMAccountName=%s -h > 192.168.9.12 -p > squid mypass > OK > ^C > caos# > > > Agora só falta o group. > > > > > 2009/12/18 Ricardo Souza <[email protected]>: >> Nao rola. >> >> O grande lance ali foi a sugestao de usar -s sub para procurar em >> todos os escopos. >> >> Agora eu obtenho o erro: squid_ldap_auth: WARNING, LDAP search error >> 'Operations error' >> >> >> /usr/local/libexec/squid/squid_ldap_auth -b "CN=USers,DC=AUTOPASS" -v >> 3 -R -h 192.168.9.12 -p 389 -f "uid=%s" -s sub >> squid mypass >> squid_ldap_auth: WARNING, LDAP search error 'Operations error' >> ERR Success >> ^C >> >> >> 2009/12/18 Alessandro de Souza Rocha <[email protected]>: >>> http://www.mail-archive.com/[email protected]/msg37677.html >>> >>> 2009/12/18 Ricardo Souza <[email protected]>: >>>> caos# /usr/local/libexec/squid/squid_ldap_group -R -b >>>> "OU=Intranet,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w >>>> "mypass" -f >>>> "(&(objectclass=person)(sAMAccountName=rasouza)(memberof=cn=%a,ou=Internet,dc=autopass))" >>>> -h 192.168.9.12:389 >>>> USERID squid PASSWORD mypas >>>> squid_ldap_group WARNING, LDAP search error 'No such object' >>>> squid_ldap_group WARNING, LDAP search error 'No such object' >>>> squid_ldap_group WARNING, LDAP search error 'No such object' >>>> ERR >>>> ^C >>>> caos# >>>> >>>> Estou quase lá! >>>> >>>> >>>> >>>> >>>> 2009/12/18 Ricardo Souza <[email protected]>: >>>>> AEW.. >>>>> >>>>> >>>>> consegui rodar o ldapsearch. >>>>> >>>>> ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D >>>>> "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389 >>>>> >>>>> >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree >>>>> # filter: (objectclass=*) >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # squid, Users, AUTOPASS >>>>> dn: CN=squid,CN=Users,DC=AUTOPASS >>>>> objectClass: top >>>>> objectClass: person >>>>> objectClass: organizationalPerson >>>>> objectClass: user >>>>> cn: squid >>>>> givenName: squid >>>>> distinguishedName: CN=squid,CN=Users,DC=AUTOPASS >>>>> instanceType: 4 >>>>> whenCreated: 20091218183503.0Z >>>>> whenChanged: 20091218183835.0Z >>>>> displayName: squid >>>>> uSNCreated: 270480 >>>>> uSNChanged: 270501 >>>>> name: squid >>>>> objectGUID:: 4XXzOkIREUqcOnLRQJHBNA== >>>>> userAccountControl: 66048 >>>>> badPwdCount: 0 >>>>> codePage: 0 >>>>> countryCode: 0 >>>>> badPasswordTime: 0 >>>>> lastLogoff: 0 >>>>> lastLogon: 0 >>>>> pwdLastSet: 129056349038798893 >>>>> primaryGroupID: 513 >>>>> objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA== >>>>> accountExpires: 9223372036854775807 >>>>> logonCount: 0 >>>>> sAMAccountName: squid >>>>> sAMAccountType: 805306368 >>>>> userPrincipalName: sq...@autopass >>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS >>>>> dSCorePropagationData: 16010101000000.0Z >>>>> lastLogonTimestamp: 129056351153699501 >>>>> >>>>> >>>>> Só q o squid_ldap_auth e o group continuam sem retornar nada. >>>>> >>>>> Alguma sugestao? >>>>> >>>>> >>>>> >>>>> >>>>> 2009/12/18 Alessandro de Souza Rocha <[email protected]>: >>>>>> esta linha nao esta errada nao. >>>>>> # As linhas abaixo se referem a autenticacao de users no AD >>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b >>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h >>>>>> 192.168.9.12:389 (isto e a porta) >>>>>> >>>>>> >>>>>> 2009/12/18 Ricardo Souza <[email protected]>: >>>>>>> Agora nao esta dando erro, porem esta me negando tudo. >>>>>>> >>>>>>> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil. >>>>>>> >>>>>>> Meu squid.conf: >>>>>>> http_port 192.168.9.10:3128 >>>>>>> icp_port 3130 >>>>>>> hierarchy_stoplist cgi-bin ? >>>>>>> #acl QUERY urlpath_regex cgi-bin ? >>>>>>> #no_cache deny QUERY >>>>>>> cache_mem 1500 MB >>>>>>> cache_swap_low 90 >>>>>>> cache_swap_high 95 >>>>>>> maximum_object_size 9216 KB >>>>>>> ipcache_size 1024 >>>>>>> ipcache_low 90 >>>>>>> ipcache_high 95 >>>>>>> fqdncache_size 1024 >>>>>>> cache_replacement_policy lru >>>>>>> memory_replacement_policy lru >>>>>>> cache_dir ufs /usr/local/squid/cache 2500 16 100 >>>>>>> cache_access_log /usr/local/squid/logs/access.log >>>>>>> cache_store_log none >>>>>>> >>>>>>> # As linhas abaixo se referem a autenticacao de users no AD >>>>>>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b >>>>>>> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h >>>>>>> 192.168.9.12:389 >>>>>>> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D >>>>>>> "dc=autopass,cn=sq...@autopass" -w "squid123qwe" -f "sAMAccountName=%s" >>>>>>> -h >>>>>>> 192.168.9.12 >>>>>>> >>>>>>> auth_param basic realm Este acesso será registrado Digite sua login e >>>>>>> senha >>>>>>> auth_param basic children 5 >>>>>>> auth_param basic credentialsttl 15 minutes >>>>>>> >>>>>>> emulate_httpd_log on >>>>>>> mime_table /usr/local/etc/squid/mime.conf >>>>>>> pid_filename /usr/local/squid/logs/squid.pid >>>>>>> ftp_user [email protected] >>>>>>> ftp_passive on >>>>>>> #unlinkd_program /usr/local/squid/libexec/unlinkd >>>>>>> >>>>>>> # ACL externa para autenticação nas bases LDAP do PDC >>>>>>> external_acl_type ldap_group %LOGIN >>>>>>> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D >>>>>>> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f >>>>>>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))" >>>>>>> -h 192.168.9.12:389 >>>>>>> >>>>>>> >>>>>>> #acl all src 0.0.0.0/0.0.0.0 >>>>>>> acl manager proto cache_object >>>>>>> acl localhost src 127.0.0.1/255.255.255.255 >>>>>>> acl SSL_ports port 443 563 9141 >>>>>>> acl Safe_ports port 80 # http >>>>>>> acl Safe_ports port 81 >>>>>>> acl Safe_ports port 82 >>>>>>> acl Safe_ports port 85 >>>>>>> acl Safe_ports port 21 # ftp >>>>>>> acl Safe_ports port 443 563 # https, snews >>>>>>> acl Safe_ports port 70 # gopher >>>>>>> acl Safe_ports port 210 # wais >>>>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>>>> acl Safe_ports port 280 # http-mgmt >>>>>>> acl Safe_ports port 488 # gss-http >>>>>>> acl Safe_ports port 591 # filemaker >>>>>>> acl Safe_ports port 777 # multiling http >>>>>>> acl CONNECT method CONNECT >>>>>>> >>>>>>> # A acl abaixo faz bloqueio de acesso por IP" >>>>>>> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados" >>>>>>> >>>>>>> # A ACL abaixo efetua bloqueio do MSN >>>>>>> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain" >>>>>>> >>>>>>> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv >>>>>>> mpg >>>>>>> avi asf >>>>>>> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ >>>>>>> .wmv$ >>>>>>> .mpg$ .avi$ .pif$ >>>>>>> >>>>>>> #acl palavra_download url_regex -i >>>>>>> "/usr/local/squid/etc/palavra_download-url" >>>>>>> >>>>>>> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30 >>>>>>> # Inserir os sites a serem liberados das 12 as 13 no arquivo >>>>>>> /usr/local/squid/etc/libera_almoco >>>>>>> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" >>>>>>> #sites >>>>>>> de "libera_almoco" >>>>>>> #acl almoco time SMTWHFA 12:00-13:30 >>>>>>> #libera acesso das 12 as 13:30 #de segunda a domingo. >>>>>>> >>>>>>> # A ACL abaixo libera alguns sites para acesso sem autenticação como >>>>>>> bancos, >>>>>>> governo e Abrapetite >>>>>>> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" >>>>>>> # >>>>>>> Libera alguns sites p/user s/acesso >>>>>>> >>>>>>> # ACLs de Controle de Conteúdo >>>>>>> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio" >>>>>>> #acl dominio_liberado dstdomain -i >>>>>>> "/usr/local/squid/etc/libera_dominio" >>>>>>> #acl sex url_regex -i "/usr/local/squid/etc/porno" >>>>>>> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno" >>>>>>> # ACLs_ACTIVE_DIRECTORY >>>>>>> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de >>>>>>> acesso >>>>>>> com restrições >>>>>>> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a >>>>>>> internet >>>>>>> padrão >>>>>>> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a >>>>>>> internet >>>>>>> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera >>>>>>> download >>>>>>> de arquivo com extensões bloqueadas. >>>>>>> >>>>>>> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao >>>>>>> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url" >>>>>>> >>>>>>> http_access deny !Safe_ports >>>>>>> http_access deny CONNECT !SSL_ports >>>>>>> #http_access deny block_ip >>>>>>> >>>>>>> http_access allow libera_restritos >>>>>>> http_access deny ldapAcessoRestrito >>>>>>> http_access allow ldapAcessoTotal >>>>>>> #http_access deny dst_msn >>>>>>> #http_access allow dominio_liberado >>>>>>> #http_access allow libera_sites almoco >>>>>>> #http_access deny dominio_bloqueado >>>>>>> #http_access allow ldapAcessoDownload block_arq >>>>>>> #http_access allow ldapAcessoDownload palavra_download >>>>>>> #http_access allow download_url >>>>>>> #http_access deny block_arq >>>>>>> #http_access allow nosex >>>>>>> #http_access deny sex >>>>>>> http_access allow ldapAcessoPadrao >>>>>>> http_access allow manager localhost >>>>>>> http_access deny manager >>>>>>> http_access deny all >>>>>>> icp_access allow all >>>>>>> cache_effective_user squid >>>>>>> cache_effective_group squid >>>>>>> visible_hostname proxy.reboucas.autopass.com.br >>>>>>> unique_hostname proxy.reboucas.autopass.com.br >>>>>>> append_domain .autopass.com.br >>>>>>> acl local-servers dstdomain autopass.com.br >>>>>>> acl local-serverspr dstdomain cmtsp.com.br >>>>>>> always_direct allow local-servers >>>>>>> always_direct allow local-serverspr >>>>>>> #error_directory /usr/local/squid/share/errors/Portuguese >>>>>>> >>>>>>> >>>>>>> access.log: >>>>>>> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>>>> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET >>>>>>> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2009/12/18 Vinicius Abrahao <[email protected]> >>>>>>> >>>>>>>> 2009/12/18 Ricardo Souza <[email protected]>: >>>>>>>> > nao consigo usar este tambem. >>>>>>>> > >>>>>>>> > ldap_bind: Invalid credentials (49) >>>>>>>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment: >>>>>>>> > AcceptSecurityContext error, data 525, v1772 >>>>>>>> > caos# >>>>>>>> > >>>>>>>> >>>>>>>> Pelo que a IBM nos diz, 525 é "user not found": >>>>>>>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631 >>>>>>>> >>>>>>>> Tenta confirmar que tua arvore LDAP está realmente assim: >>>>>>>> "cn=squid,ou=users,dc=autopass" >>>>>>>> >>>>>>>> O programa ldifde pode te ajudar com isso: >>>>>>>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm >>>>>>>> >>>>>>>> >>>>>>>> Att, >>>>>>>> Vinicius >>>>>>>> ------------------------- >>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>> >>>>>>> ------------------------- >>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Alessandro de Souza Rocha >>>>>> Administrador de Redes e Sistemas >>>>>> FreeBSD-BR User #117 >>>>>> Long live FreeBSD >>>>>> >>>>>> Powered by .... >>>>>> >>>>>> (__) >>>>>> \\\'',) >>>>>> \/ \ ^ >>>>>> .\._/_) >>>>>> >>>>>> www.FreeBSD.org >>>>>> ------------------------- >>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>> >>>>> >>>> ------------------------- >>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>> >>> >>> >>> >>> -- >>> Alessandro de Souza Rocha >>> Administrador de Redes e Sistemas >>> FreeBSD-BR User #117 >>> Long live FreeBSD >>> >>> Powered by .... >>> >>> (__) >>> \\\'',) >>> \/ \ ^ >>> .\._/_) >>> >>> www.FreeBSD.org >>> ------------------------- >>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
