Squid+SquidGuard+AD windows

ponponilly · Février 21, 2016, 8:11pm

Bonjour, je rencontre un souci avec une nouvelle installation de squid+squidguard+AD

l’utilisateur authentifié sur le pc client Windows doit pouvoir interroger les serveur proxy et voir dans quel groupe il fait partie pour lui donner l’autorisation ou non d’aller sur le site demandé, pour cela mon squid.conf :

[code]#

CONFIG FILE FOR SQUIDGUARD

Caution: do NOT use comments inside { }

dbhome /var/lib/squidguard/db/blacklists
logdir /var/log/squidguard

TIME RULES:

abbrev for weekdays:

s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
weekly mtwhf 08:00 - 16:30
date --01 08:00 - 16:30
}

#Configuration pour l’authentification LDAP
ldapbinddn CN=xxx,OU=CompteAdmin,DC=monAD,DC=LOCAL
ldapbindpass motpasseadmin
#Configuration du cache LDAP
ldapcachetime 300

SOURCE ADDRESSES:

src Full_Web {
ldapusersearch ldap://x.x.x.x:389/cn=Users,dc=monad,dc=local?sAMAccountName?sub??((&(memberof=CN=Full_Web%2cCN=Users%2cDC=sedan%2cDC=local)(sAMAccountName=%s))
}

src Moder_Web {
ldapusersearch ldap://x.x.x.x:389/cn=Users,dc=monad,dc=local?sAMAccountName?sub??(&(memberof=CN=Moder_Web%2cCN=Users%2cDC=sedan%2cDC=local)(sAMAccountName=%s))
}

src Restrict_Web {
ldapusersearch ldap://x.x.x.x:389/cn=Users,dc=monad,dc=local?sAMAccountName?sub??(&(memberof=CN=Restrict_Web%2cCN=Users%2cDC=sedan%2cDC=local)(sAMAccountName=%s))
}

DESTINATION CLASSES:

dest pornographie {
urllist porn/urls
domainlist porn/domains
expressionlist porn/very_restrictive_expression
}

dest drogues {
urllist drugs/urls
domainlist drugs/domains
}

dest phishing {
urllist phishing/urls
domainlist phishing/domains
}

dest marchands_de_guerre {
urllist marketingware/urls
domainlist marketingware/domains
}

ACL RULES:

acl {
Full_Web {
pass any
}

    Moder_Web {
            pass	!pornographie !drogues !phishing !marchands_de_guerre any
	  redirect http://x.x.x.x/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetclass=%t&url=%u
      }

    Restrict_Web {
             pass	none
             redirect http://x.x.x.x/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetclass=%t&url=%u
     }
 default {
             pass	none
             redirect http://x.x.x.x/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetclass=%t&url=%u
     }

}
[/code]

Actuellement, l’authentification sur l’AD fonctionne en mode console :

Seulement ca ne fonctionne pas , j’ai un retour dans les log :

2014-04-07 09:08:03 [5741] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:05 [5739] init expressionlist /var/lib/squidguard/db/blacklists/porn/very_restrictive_expression 2014-04-07 09:08:05 [5739] init urllist /var/lib/squidguard/db/blacklists/drugs/urls 2014-04-07 09:08:05 [5739] init domainlist /var/lib/squidguard/db/blacklists/drugs/domains 2014-04-07 09:08:05 [5739] init urllist /var/lib/squidguard/db/blacklists/phishing/urls 2014-04-07 09:08:05 [5739] init domainlist /var/lib/squidguard/db/blacklists/phishing/domains 2014-04-07 09:08:05 [5739] init urllist /var/lib/squidguard/db/blacklists/marketingware/urls 2014-04-07 09:08:05 [5739] init domainlist /var/lib/squidguard/db/blacklists/marketingware/domains 2014-04-07 09:08:05 [5739] INFO: squidGuard 1.5 started (1396854266.907) 2014-04-07 09:08:05 [5739] INFO: recalculating alarm in 26515 seconds 2014-04-07 09:08:05 [5739] INFO: squidGuard ready for requests (1396854485.644) 2014-04-07 09:08:05 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:05 [5739] Added LDAP source: stageinfo 2014-04-07 09:08:05 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:05 [5739] Added LDAP source: stageinfo 2014-04-07 09:08:05 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:05 [5739] Added LDAP source: stageinfo 2014-04-07 09:08:11 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:11 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:08:11 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:09:26 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:09:26 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:09:26 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:24:35 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:24:35 [5739] Added LDAP source: stageinfo 2014-04-07 09:24:35 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:24:35 [5739] Added LDAP source: stageinfo 2014-04-07 09:24:35 [5739] DEBUG: sgFindUser called with: stageinfo 2014-04-07 09:24:35 [5739] Added LDAP source: stageinfo

A noté, qu’il est bien dans le domain AD, le Kinit est ok, les logs me donnent bien dans squid le nom de la machine et le nom du user mais forcement ne me laisse pas l’accès au net. Cela fait une semaine que je recherche et je n’ai toujours rien trouvé !!

D’avance merci a tous