I'm having trouble with Squid Kerberos auth and the Squidguard ldapusersearch that I use to apply ACLs by Active Directory groups membership.
The problem is :
- Squid and Squidguard see my user as :
user@domain.local
so the '%s' variable of squidguard is'user@domain.local'
- In my ldap query there is no default property that can interpret this string.
Example :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And sAMAccountName should be only 'user'
and not 'user@domain.local'
!!!
So I found a solution but It's not very comfortable :
I edit an unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And it works !!!
Anyone have an idea to bypass the need to create a custom attribute in AD who contents ?
And by the way userPrincipalName
is the same as the email and can't interpret Kerberos login.
Best Answer
I got this to work in my environment by querying LDAP for the userPrincipalName instead of sAMAccountName as my squid also returns user@domain.local from Kerberos/NTLM auth.
Also be sure to use %20 instead of spaces and when I was specifying the bind DN in my conf file, I used quotes as it had an & in the DN and squidguard was not binding because of it.