The more I dig into this problem, the more complex it seems to get. I spent most of the day yesterday working with our AD admin on squid's use of Kerberos authentication. Today we tried something new, we both logged into a server via terminal services. He setup the browser to use our squidGuard proxy, then he gave the go ahead to hit a blacklisted/blocked site while he did the same. Evidently I was quicker because we both saw my username in the "blocked" log.
Can anyone explain to me how my userName was tied to his HTTP GET request according to squid?
-Dustyn
-----Original Message-----
From: Diersen, Dustyn [DAS]
Sent: Thursday, May 24, 2012 9:28 AM
To: 'squid-users_at_squid-cache.org'
Subject: RE: [squid-users] comperterName logged for sAMAccountName
2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN_at_iowa.gov>:
>> I have squid running with SquidGuard using Active Directory for LDAP
>> \ authentication. The problem I am seeing is the use of the AD
>> attribute \ sAMAccountName for both userName and computerName. I
>> thought I had a fix by adding \ sAMAccountType to my following
>> squid_ldap_auth helper, but I am still seeing \ numerous
>> computerNames rather than userNames being logged. The REAL problem is
>> ACL \ matching, as I never know what I will be receiving from my
>> users and do not wish to \ include computerName in my userlists. Â I
>> have tested adding a couple of \ computerNames to the userlist which resolves blocked access messages for users with \ specialized access requirements.
>> Here is my current LDAP helper string:
>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
>> -b \ "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W
>> \ "/squidGuard/filename" -f \
>> "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306
>> 368)))" -u \ sAMAccountName -P -v3 -Hldap://domain.com I have been
>> searching for a solution to this problem for more than a week, but
>> have \ been unable to find one that works in my environment.
>> -Dustyn
> If you're using AD anyhow then why aren't you using kerberos (or
> NTLMv2 [not safe anymore]) authentication? Then you generally get the
> username, though I think I also by us seen computer names in the
> username field which I think happens when there is a system process
> trying to access the web for instance for updates....
>
> Regards,
> Eli
Hello Eli,
I do also have Kerberos defined, see below for entries. I need help figuring out where the computerNames are coming from. As I mentioned before, I thought I had eliminated the computerNames by the squid_ldap_auth helper above. I have more than 400 users (and growing) and would like to keep their userNames only in the userlists. When the computerName is logged, the end user ends up using the default ACL which is more restrictive on outbound browsing, resulting in trouble tickets to fix the problem.
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
auth_param negotiate children 30
auth_param negotiate keep_alive on
url_rewrite_program /squidGuard/redirector-id.pl url_rewrite_children 8 url_rewrite_concurrency 10 acl AUTH proxy_auth REQUIRED
and here is the rest of my basic auth:
auth_param basic children 15
auth_param basic realm SquidGuard Authentication auth_param basic credentialsttl 8 hours http_access allow localnet http_access allow AUTH
Thank you,
-Dustyn
Received on Fri May 25 2012 - 19:00:34 MDT
This archive was generated by hypermail 2.2.0 : Sat May 26 2012 - 12:00:04 MDT