2012/5/23 Diersen, Dustyn [DAS] <[email protected]>: > I have squid running with SquidGuard using Active Directory for LDAP > authentication. The problem I am seeing is the use of the AD attribute > sAMAccountName for both userName and computerName. I thought I had a fix by > adding sAMAccountType to my following squid_ldap_auth helper, but I am still > seeing numerous computerNames rather than userNames being logged. The REAL > problem is ACL matching, as I never know what I will be receiving from my > users and do not wish to include computerName in my userlists. I have tested > adding a couple of computerNames to the userlist which resolves blocked > access messages for users with specialized access requirements. > > Here is my current LDAP helper string: > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b > "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W > "/squidGuard/filename" -f > "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306368)))" > -u sAMAccountName -P -v3 -Hldap://domain.com > > I have been searching for a solution to this problem for more than a week, > but have been unable to find one that works in my environment. > > -Dustyn
If you're using AD anyhow then why aren't you using kerberos (or NTLMv2 [not safe anymore]) authentication? Then you generally get the username, though I think I also by us seen computer names in the username field which I think happens when there is a system process trying to access the web for instance for updates.... Regards, Eli
