AEW..
consegui rodar o ldapsearch. ldapsearch -b "CN=squid,CN=Users,DC=AUTOPASS" -D "CN=squid,CN=Users,DC=AUTOPASS" -w "mypass" -h 192.168.9.12:389 # extended LDIF # # LDAPv3 # base <CN=squid,CN=Users,DC=AUTOPASS> with scope subtree # filter: (objectclass=*) # requesting: ALL # # squid, Users, AUTOPASS dn: CN=squid,CN=Users,DC=AUTOPASS objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: squid givenName: squid distinguishedName: CN=squid,CN=Users,DC=AUTOPASS instanceType: 4 whenCreated: 20091218183503.0Z whenChanged: 20091218183835.0Z displayName: squid uSNCreated: 270480 uSNChanged: 270501 name: squid objectGUID:: 4XXzOkIREUqcOnLRQJHBNA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 129056349038798893 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAq/a0vxuVjyQhgb1QKwUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: squid sAMAccountType: 805306368 userPrincipalName: sq...@autopass objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AUTOPASS dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129056351153699501 Só q o squid_ldap_auth e o group continuam sem retornar nada. Alguma sugestao? 2009/12/18 Alessandro de Souza Rocha <etherlin...@gmail.com>: > esta linha nao esta errada nao. > # As linhas abaixo se referem a autenticacao de users no AD > auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b > "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h > 192.168.9.12:389 (isto e a porta) > > > 2009/12/18 Ricardo Souza <ricardo.so...@ti.cmtsp.com.br>: >> Agora nao esta dando erro, porem esta me negando tudo. >> >> Como eu nao consigo rodar o squid_ldap_auth para debugar, fica dificil. >> >> Meu squid.conf: >> http_port 192.168.9.10:3128 >> icp_port 3130 >> hierarchy_stoplist cgi-bin ? >> #acl QUERY urlpath_regex cgi-bin ? >> #no_cache deny QUERY >> cache_mem 1500 MB >> cache_swap_low 90 >> cache_swap_high 95 >> maximum_object_size 9216 KB >> ipcache_size 1024 >> ipcache_low 90 >> ipcache_high 95 >> fqdncache_size 1024 >> cache_replacement_policy lru >> memory_replacement_policy lru >> cache_dir ufs /usr/local/squid/cache 2500 16 100 >> cache_access_log /usr/local/squid/logs/access.log >> cache_store_log none >> >> # As linhas abaixo se referem a autenticacao de users no AD >> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b >> "DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "squid123qwe" -h >> 192.168.9.12:389 >> #/usr/local/libexec/squid/squid_ldap_auth -R -b "dc=autopass" -D >> "dc=autopass,cn=sq...@autopass" -w "squid123qwe" -f "sAMAccountName=%s" -h >> 192.168.9.12 >> >> auth_param basic realm Este acesso será registrado Digite sua login e senha >> auth_param basic children 5 >> auth_param basic credentialsttl 15 minutes >> >> emulate_httpd_log on >> mime_table /usr/local/etc/squid/mime.conf >> pid_filename /usr/local/squid/logs/squid.pid >> ftp_user f...@autopass.com.br >> ftp_passive on >> #unlinkd_program /usr/local/squid/libexec/unlinkd >> >> # ACL externa para autenticação nas bases LDAP do PDC >> external_acl_type ldap_group %LOGIN >> /usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D >> "cn=autopass\squid,dc=autopass" -w "squid123qwe" -f >> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,dc=autopass))" >> -h 192.168.9.12:389 >> >> >> #acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl SSL_ports port 443 563 9141 >> acl Safe_ports port 80 # http >> acl Safe_ports port 81 >> acl Safe_ports port 82 >> acl Safe_ports port 85 >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 563 # https, snews >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> # A acl abaixo faz bloqueio de acesso por IP" >> #acl block_ip src "/usr/local/squid/etc/ips_bloqueados" >> >> # A ACL abaixo efetua bloqueio do MSN >> #acl dst_msn dstdomain -i "/usr/local/squid/etc/msn_domain" >> >> # A ACL abaixo barra download de arquivos com extensões exe mp3 wma wmv mpg >> avi asf >> acl block_arq urlpath_regex -i .com$ .exe$ .scr$ .mp3$ .mpeg$ .wma$ .wmv$ >> .mpg$ .avi$ .pif$ >> >> #acl palavra_download url_regex -i >> "/usr/local/squid/etc/palavra_download-url" >> >> # As ACLs abaixo relaxam o controle de conteúdo das 12:00 as 13:30 >> # Inserir os sites a serem liberados das 12 as 13 no arquivo >> /usr/local/squid/etc/libera_almoco >> #acl libera_sites url_regex -i "/usr/local/squid/etc/libera_almoco" #sites >> de "libera_almoco" >> #acl almoco time SMTWHFA 12:00-13:30 >> #libera acesso das 12 as 13:30 #de segunda a domingo. >> >> # A ACL abaixo libera alguns sites para acesso sem autenticação como bancos, >> governo e Abrapetite >> acl libera_restritos dstdomain -i "/usr/local/squid/sites_liberados" # >> Libera alguns sites p/user s/acesso >> >> # ACLs de Controle de Conteúdo >> #acl dominio_bloqueado dstdomain -i "/usr/local/squid/etc/block_dominio" >> #acl dominio_liberado dstdomain -i "/usr/local/squid/etc/libera_dominio" >> #acl sex url_regex -i "/usr/local/squid/etc/porno" >> #acl nosex url_regex -i "/usr/local/squid/etc/naoporno" >> # ACLs_ACTIVE_DIRECTORY >> acl ldapAcessoRestrito external ldap_group AcessoRestrito # Grupo de acesso >> com restrições >> acl ldapAcessoPadrao external ldap_group AcessoPadrao # Acesso a internet >> padrão >> acl ldapAcessoTotal external ldap_group AcessoTotal # Acesso total a >> internet >> acl ldapAcessoDownload external ldap_group AcessoDownload # Libera download >> de arquivo com extensões bloqueadas. >> >> # A ACL abaixo desbloqueia download para o grupo AcessoPadrao >> #acl download_url url_regex "/usr/local/squid/etc/libera_download-url" >> >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> #http_access deny block_ip >> >> http_access allow libera_restritos >> http_access deny ldapAcessoRestrito >> http_access allow ldapAcessoTotal >> #http_access deny dst_msn >> #http_access allow dominio_liberado >> #http_access allow libera_sites almoco >> #http_access deny dominio_bloqueado >> #http_access allow ldapAcessoDownload block_arq >> #http_access allow ldapAcessoDownload palavra_download >> #http_access allow download_url >> #http_access deny block_arq >> #http_access allow nosex >> #http_access deny sex >> http_access allow ldapAcessoPadrao >> http_access allow manager localhost >> http_access deny manager >> http_access deny all >> icp_access allow all >> cache_effective_user squid >> cache_effective_group squid >> visible_hostname proxy.reboucas.autopass.com.br >> unique_hostname proxy.reboucas.autopass.com.br >> append_domain .autopass.com.br >> acl local-servers dstdomain autopass.com.br >> acl local-serverspr dstdomain cmtsp.com.br >> always_direct allow local-servers >> always_direct allow local-serverspr >> #error_directory /usr/local/squid/share/errors/Portuguese >> >> >> access.log: >> 92.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >> 192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET >> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >> 192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET >> http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE >> >> >> >> >> >> >> 2009/12/18 Vinicius Abrahao <vinnix....@gmail.com> >> >>> 2009/12/18 Ricardo Souza <ricardo.so...@ti.cmtsp.com.br>: >>> > nao consigo usar este tambem. >>> > >>> > ldap_bind: Invalid credentials (49) >>> > additional info: 80090308: LdapErr: DSID-0C0903AA, comment: >>> > AcceptSecurityContext error, data 525, v1772 >>> > caos# >>> > >>> >>> Pelo que a IBM nos diz, 525 é "user not found": >>> http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631 >>> >>> Tenta confirmar que tua arvore LDAP está realmente assim: >>> "cn=squid,ou=users,dc=autopass" >>> >>> O programa ldifde pode te ajudar com isso: >>> http://www.computerperformance.co.uk/Logon/Logon_LDIFDE_Export.htm >>> >>> >>> Att, >>> Vinicius >>> ------------------------- >>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > > > > -- > Alessandro de Souza Rocha > Administrador de Redes e Sistemas > FreeBSD-BR User #117 > Long live FreeBSD > > Powered by .... > > (__) > \\\'',) > \/ \ ^ > .\._/_) > > www.FreeBSD.org > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd