diogoborges
(usa Outra)
Enviado em 18/10/2011 - 09:29h
Olá! Pessoal gostaria da ajuda de vocês pois estou tendo dificuldades de utilizar o squid autenticando no AD por grupo via LDAP.
Bom meu cenário e o seguinte. Já consigo autenticar com usuário via LDAP só que eu preciso autenticar por grupo.
quando eu executo o squid_ldap_group dentro da pasta /usr/lib/squid/
./squid_ldap_group -b "dc=iito" -D "cn=squid,cn=Users,dc=iito" -w "123456" -h 10.25.2.4 -f "(&(objectClass=group)(cn=%a))" -F "(&(sAMAccountName=%s)(objectClass=User))" -d -v 3
coloco o usuário (diogo) e o grupo (internet) que ele pertence
ele me retorna
Connected OK
user filter '(&(sAMAccountName=diogo)(objectClass=User))', searchbase 'dc=iito'
group filter '(&(objectClass=group)(cn=internet))', searchbase 'dc=iito'
OK
caso eu coloco o grupo errado ele me retorna ERR. Agora porque que não funciona isso o bloqueio de paginas por grupo?
meu squid.conf
############################################
# #
# Diogo Borges Oliveira #
# diogoborges@hotmail.com.br #
# #
############################################
##############DADOS DO SQUID###################
http_port 3128
dns_nameservers 10.25.2.4
visible_hostname Squid
unlinkd_program /usr/lib/squid/unlinkd
pid_filename /var/run/squid.pid
##############CONFIGURACAO DO CACHE###################
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hierarchy_stoplist cgi-bin ?
cache_effective_user proxy
cache_effective_group proxy
cache_mem 256 mb
ipcache_size 3072
ipcache_low 90
ipcache_high 93
cache_swap_low 90
cache_swap_high 95
fqdncache_size 2048
maximum_object_size_in_memory 128 kb
maximum_object_size 64 mb
minimum_object_size 0 kb
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /var/cache/squid/squid1 2000 16 256
cache_dir ufs /var/cache/squid/squid2 2000 16 256
cache_dir ufs /var/cache/squid/squid3 2000 16 256
cache_dir ufs /var/cache/squid/squid4 2000 16 256
cache_dir ufs /var/cache/squid/squid5 2000 16 256
##############LOGS DO SQUID###################
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
##############AUTENTICACAO COM AD###################
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=iito" -D "cn=squid,cn=Users,dc=iito" -w "123456" -f sAMAccountName=%s -h 10.25.2.4
auth_param basic realm Este acesso sera registrado Digite sua chave e senha
auth_param basic children 5
auth_param basic credentialsttl 30 minutes
external_acl_type ldap_group children=30 %LOGIN /usr/lib/squid/squid_ldap_group -b "dc=iito" -D "cn=squid,cn=Users,dc=iito" -w "123456" -h 10.25.2.4 -f "(&(objectClass=group)(cn=%a))" -F "(&(sAMAccountName=%s)(objectClass=User))" -d -v3
##############ATUALIZACAO DO CACHE###################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
##############ACL's PADRAO###################
acl all src 0
acl rede src 10.25.2.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl autentica proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
##############CACHE DOS UPDATES###################
refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern msgruser.dlservice.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern
www.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern personal.avira-update.com/.*.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims
refresh_pattern avast.com/.*\.(def|vpu|vpaa|stamp|cgi) 43200 100% 43200 override-lastmod reload-into-ims
##############NAO FAZ CACHE###################
acl nocache dstdomain .gov.br
no_cache deny nocache
always_direct allow nocache
##############LISTAS DE ACESSOS – ACL’S##################
acl autentica proxy_auth REQUIRED
acl bloqueio_palavra url_regex -i "/etc/squid/regras/bloqueado_palavra.txt"
acl bloqueio_dominio dstdomain "/etc/squid/regras/bloqueado_dominio.txt"
acl dominios_permitido dstdomain "/etc/squid/regras/dominios_permitido.txt"
acl avast dstdomain .avast.com
acl ips_atendimento src 10.25.2.58 10.25.2.59 10.25.2.60 10.25.2.61 10.25.2.65
acl blockpropagandas dstdom_regex -i "/etc/squid/regras/blockpropagandas.txt"
#===============ACLs_ACTIVE_DIRECTORY=======================
acl ldapAcessoPadrao external ldap_group AcessoPadrao
acl ldapAcessoTotal external ldap_group AcessoTotal
acl ldapAcessoDownload external ldap_group AcessoDownload
acl ldapinternet external ldap_group internet
#### TESTE ####
http_access allow ldapinternet
http_access deny ldapAcessoPadrao
##############TAMANHO MAXIMO DE DOWNLOAD PERMITIDO 25MB###################
reply_body_max_size 25971520 deny all !ldapAcessoTotal !ldapAcessoDownload
##############BLOQUEANDO EXTENCOES###################
acl extencoes url_regex -i "/etc/squid/regras/extencoes.txt"
http_access deny extencoes !ldapAcessoTotal !ldapAcessoDownload
###############LIBERANDO ACESSOS################
http_access allow ldapAcessoTotal
http_access allow avast
http_access allow dominios_permitido
http_access deny blockpropagandas
http_access deny bloqueio_palavra
http_access deny bloqueio_dominio
http_access allow ldapAcessoPadrao
##############OUTRAS CONF###################
detect_broken_pconn on
pipeline_prefetch on
error_directory /usr/share/squid/errors/Portuguese
##############CONFIGURACOES FINAIS##################
http_access allow autentica
http_access allow rede
http_access deny all
http_reply_access allow rede
icp_access allow rede