Ldap – Squidguard + LDAP (Active Directory) not working

ldapsquid

I've been trying to configure a squid with squidguard and MS AD. I've successfuly linked my squid with my AD so far, but now, I want to link my squidguard with the active directory.

I've followed multiple tutorial, but i'm stuck with the same problem : when I launch squid, I have

2013-09-11 16:45:21 [6519] New setting: dbhome: /var/lib/squidguard/db
2013-09-11 16:45:21 [6519] New setting: logdir: /var/log/squid
2013-09-11 16:45:21 [6519] syntax error in configfile /etc/squid3/squidGuard.conf line 4
2013-09-11 16:45:21 [6519] Going into emergency mode

This is the error I get with the squidGuard 1.4 that I compiled with the –with-ldap=yes option.

Here's my squidGuard.conf file :

ldapbinddn CN="Acces AD",OU=Utilisateurs,DC=company,DC=local
ldapbindpass mypassword
ldapcachetime 60

src admin {
 ldapusersearch ldap://192.168.20.1:389/dc=company,dc=local?sAMAccountName?sub?(&(memberof=CN=mygroup%2cOU=Users%2cDC=company%2cDC=local)(sAMAccountName=%s))
}

It seems that my squidGuard build is not compiled with LDAP support, but I did specified the option when I ran the compile script.
I searched pretty much everything I could think of in google, but it did not solve my problem, so I was hoping that I may find some enlightenment here.

EDIT :

I installed the debian squidGuard package, and I have some new things in my squidGuard.log :

2013-09-11 17:44:07 [7003] New setting: ldapcachetime: 60
2013-09-11 17:44:07 [7003] syntax error in configfile /etc/squid3/squidGuard.conf line 9
2013-09-11 17:44:07 [7003] Going into emergency mode
2013-09-11 17:44:07 [7004] New setting: dbhome: /var/lib/squidguard/db
2013-09-11 17:44:07 [7004] New setting: logdir: /var/log/squid
2013-09-11 17:44:07 [7004] New setting: ldapbinddn: CN="Acces AD",OU=Utilisateurs,DC=company,DC=local
2013-09-11 17:44:07 [7004] New setting: ldapbindpass: mypassword
2013-09-11 17:44:07 [7004] New setting: ldapcachetime: 60
2013-09-11 17:44:07 [7004] syntax error in configfile /etc/squid3/squidGuard.conf line 9
2013-09-11 17:44:07 [7004] Going into emergency mode

Best Answer

Not sure if this helps, but generally when i'm using squidGuard, I found that having it search LDAP was relatively slow, and it can already use the authenticated user name directly from Squid itself, I basically just have a text file with the list of users that need special privileges.

e.g.

...
src userGroup1{
    userlist /etc/squid/userGroup1.txt
}
...
acl{
    userGroup1 {
       pass good whitelist graylist !bad !malware any
    }
    default {
       pass good whitelist !bad !malware any
    }
}

Related Solutions

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Ldap – SquidGuard and Active Directory: how to deal with multiple groups

Solved... partially. I had totally overlooked the fact that you can add another condition to the LDAP query... so it's quite easy to check for membership of more than one group.

Some caveats:

It's still necessary to define a SquidGuard ACL for every possible combination of groups
You need to add at least two other directives to the SquidGuard configuration: ldapbinddn (which defines the username to use to connect to AD, and you have to use the DN of the user object here, not the plain username!) and ldapbindpass, which defines the user's password.
SquidGuard needs to be compiled with LDAP support, which is not compiled in by default.

…but at least the actual groups in AD can be kept to a minimum.

Best Answer

Related Solutions

Ldap – SquidGuard and Active Directory groups

Ldap – SquidGuard and Active Directory: how to deal with multiple groups

Related Topic