squid != squidguard afaik.
That said in your previous mail you write that you also have kerberos
configured but you aren't showing all of your auth_param
configuration.
As far as I understood things in the past squid replies to the user
with http/407 - proxy auth required at which point the user resends
the request with the appropriate headers, in the case of basic auth a
unencrypted user/pass pair, in the case of ntlm/kerberos the relevant
stuff for their auth and then squid sticks the username it gets out of
those requests in the log.
Either way if you were both doing something at the same time you
should see 2 block messages in your access.log....
HTH,
Eli
2012/5/25 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN_at_iowa.gov>:
> The more I dig into this problem, the more complex it seems to get. I spent most of the day yesterday working with our AD admin on squid's use of Kerberos authentication. Today we tried something new, we both logged into a server via terminal services. He setup the browser to use our squidGuard proxy, then he gave the go ahead to hit a blacklisted/blocked site while he did the same. Evidently I was quicker because we both saw my username in the "blocked" log.
>
> Can anyone explain to me how my userName was tied to his HTTP GET request according to squid?
>
> -Dustyn
>
> -----Original Message-----
> From: Diersen, Dustyn [DAS]
> Sent: Thursday, May 24, 2012 9:28 AM
> To: 'squid-users_at_squid-cache.org'
> Subject: RE: [squid-users] comperterName logged for sAMAccountName
>
> 2012/5/23 Diersen, Dustyn [DAS] <DUSTYN.DIERSEN_at_iowa.gov>:
>>> I have squid running with SquidGuard using Active Directory for LDAP
>>> \ authentication. The problem I am seeing is the use of the AD
>>> attribute \ sAMAccountName for both userName and computerName. I
>>> thought I had a fix by adding \ sAMAccountType to my following
>>> squid_ldap_auth helper, but I am still seeing \ numerous
>>> computerNames rather than userNames being logged. The REAL problem is
>>> ACL \ matching, as I never know what I will be receiving from my
>>> users and do not wish to \ include computerName in my userlists. Â I
>>> have tested adding a couple of \ computerNames to the userlist which resolves blocked access messages for users with \ specialized access requirements.
>>> Here is my current LDAP helper string:
>>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
>>> -b \ "dc=base,dc=domain,dc=in,dc=our,dc=AD" -s sub -D "BASE\\user" -W
>>> \ "/squidGuard/filename" -f \
>>> "(&(&(objectCategory=person)(sAMAccountName=%s)(sAMAccountType=805306
>>> 368)))" -u \ sAMAccountName -P -v3 -Hldap://domain.com I have been
>>> searching for a solution to this problem for more than a week, but
>>> have \ been unable to find one that works in my environment.
>>> -Dustyn
>
>> If you're using AD anyhow then why aren't you using kerberos (or
>> NTLMv2 [not safe anymore]) authentication? Then you generally get the
>> username, though I think I also by us seen computer names in the
>> username field which I think happens when there is a system process
>> trying to access the web for instance for updates....
>>
>> Regards,
>> Eli
>
> Hello Eli,
> I do also have Kerberos defined, see below for entries. I need help figuring out where the computerNames are coming from. As I mentioned before, I thought I had eliminated the computerNames by the squid_ldap_auth helper above. I have more than 400 users (and growing) and would like to keep their userNames only in the userlists. When the computerName is logged, the end user ends up using the default ACL which is more restrictive on outbound browsing, resulting in trouble tickets to fix the problem.
>
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
> auth_param negotiate children 30
> auth_param negotiate keep_alive on
> url_rewrite_program /squidGuard/redirector-id.pl url_rewrite_children 8 url_rewrite_concurrency 10 acl AUTH proxy_auth REQUIRED
>
> and here is the rest of my basic auth:
> auth_param basic children 15
> auth_param basic realm SquidGuard Authentication auth_param basic credentialsttl 8 hours http_access allow localnet http_access allow AUTH
>
> Thank you,
> -Dustyn
Received on Mon Jun 18 2012 - 09:01:48 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 18 2012 - 12:00:02 MDT