Author Topic: Max number of users in proxy filter groups?  (Read 5097 times)

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Max number of users in proxy filter groups?
« on: February 15, 2013, 06:50:16 am »
I'm using Zentyal 3 server as an AD and proxy/filtering (non transparent proxy) in a school environment.
I've set up different profiles for the different groups in the school (students/teachers/admin/IT) which was working perfectly with only a few users added.
However once all the students were added and the domain was rolled out to the entire school I found some students were denied all access to the internet.
As a temporary measure I changed the filtering to route all users through the student filter.

All users were verified as being in the correct group.
I am assuming that there were too many users in a group and the user list was being truncated (all student users are indetified with the same preceding letters and a number ID), thus some users not appearing to be in a group and therefore not being allowed access.

So far I've not managed to find in the documentation any reference to maximum numbers, and I am not sure if Zentyal generates the ACL the users in a group, or if squid understands the groups.

I'd be interested if anyone else has seen something similar or can enlighten me about this.

When I'm next at work I'm going to create sub groups for the students (10 or so students in each group) as a work around. This isn't ideal as each group will need the same web sites white/black listed.

I don't have exact numbers of students, but it's around 100ish.

Thanks for any replies.

christian

  • Guest
Re: Max number of users in proxy filter groups?
« Reply #1 on: February 15, 2013, 09:10:53 am »
All users were verified as being in the correct group.
I am assuming that there were too many users in a group and the user list was being truncated (all student users are indetified with the same preceding letters and a number ID), thus some users not appearing to be in a group and therefore not being allowed access.

I've to admit that I don't understand this sentence  :-[
Could you please rephrase it for non native English ?  ;D ;D

From an LDAP standpoint, there is no limitation (I mean in term of number of users per group) however, one can still execute ldapsearch restricting amount of "returned" entries.
Perhaps it's worth to increase LDAP log level and have a look ?

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #2 on: February 15, 2013, 12:19:28 pm »
All users were verified as being in the correct group.
I am assuming that there were too many users in a group and the user list was being truncated (all student users are indetified with the same preceding letters and a number ID), thus some users not appearing to be in a group and therefore not being allowed access.

I've to admit that I don't understand this sentence  :-[
Could you please rephrase it for non native English ?  ;D ;D

From an LDAP standpoint, there is no limitation (I mean in term of number of users per group) however, one can still execute ldapsearch restricting amount of "returned" entries.
Perhaps it's worth to increase LDAP log level and have a look ?

Sorry for being obscure, I'm not in front of the server, and might be confusing terms  :-\

The problem isn't with LDAP, all the users are accounted for and present. They can log onto the domain correctly.

The problem lies with the authentication with the proxy server (non-transparent).

The symptom of the problem was some users in one user group getting no access to the internet, even though their group did have access.

So my theory (pure speculation based on lots of experience in programming/computers in general, and little in squid/kerberos) was that Zentyal was generating an ACL of all the users in a group that then gets processed by squid.

I couldn't really run too many tests as the students needed access to the internet.

So really the question(s) could be formed as: Does Zentyal generate a list of all users in a group that then gets passed to squid, or does squid understand user groups?
Does squid have a limit on the number of characters in an ACL?

Thanks for the reply btw :D

christian

  • Guest
Re: Max number of users in proxy filter groups?
« Reply #3 on: February 15, 2013, 12:39:28 pm »
Squid definitely understands LDAP and LDAP group membership and this should not come with any limitation in term of members (I did it some years ago with groups containing thousands of members).

This said, Zentyal's implementation stacks Squid and Dansguardian with which I'm less comfortable.
What would be interesting is a better view of "how these students are denied to access internet".
- What is the "error" or rather blocking message ?
- are you using kerberos authentication ?
- did you try to authenticate users but not apply any filtering policy (except than requiring authentication)

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #4 on: February 15, 2013, 01:26:27 pm »
Squid definitely understands LDAP and LDAP group membership and this should not come with any limitation in term of members (I did it some years ago with groups containing thousands of members).

This said, Zentyal's implementation stacks Squid and Dansguardian with which I'm less comfortable.
What would be interesting is a better view of "how these students are denied to access internet".
- What is the "error" or rather blocking message ? No error, it was blocking (from memory) the message was access denied, the same error as if the user was in a group without any rule and specific group rules were created.
- are you using kerberos authentication ? Yes
- did you try to authenticate users but not apply any filtering policy (except than requiring authentication) This is sort of how it is now, except I need to apply filtering (live school environment).

Answers in red

Before the change (in a simple form) I had 2 filter properties, Teachers and Students.
I also had 2 filter groups, sending Teachers to the Teacher property and Student to the student property.
The way the configuration works it seems that once this is setup you cannot have a 'catch all' group with everyone in, so if for example I only had those 2 groups but a person from 'admin' group tried to access the internet they would be denied.
What I was seeing is certain students were being denied as if they didn't belong to the student group.

I need to have a filtering rule in place, otherwise the school would have unfettered internet access, something I'm not really allowed to do.

Also, another interesting part of the story. Before seeing lots of students unable to access the internet I had one student visit me saying his internet was not working. After verifying *everything*, recreating his account, changing his group to teacher (none of it worked), I created a new user for him, except instead of using the standard student username (3 letters then 5 digit number) I created it with firstname-lastname. Very strangely this worked correctly...

Hope this helps explain!
« Last Edit: February 15, 2013, 01:29:57 pm by astana »

christian

  • Guest
Re: Max number of users in proxy filter groups?
« Reply #5 on: February 15, 2013, 03:00:25 pm »
you are perhaps finger pointing something interesting... but I can't help that much with this as my 3.0 plat-form is currently not running.

Zentyal group membership is based on groupuid and not groupofuniquename, which means that members are identified within groups using their [uid] and not their [DN]. RDN in (Zentyal) LDAP is [uid]. Correlated to this, because of AD constraint, RDN in Samba LDAP is [CN]
I don't really know how synchronization between these 2 LDAP servers works but I suppose UID from Zentyal LDAP synchronizes with CN in Samba LDAP. What's about [Samaccountname]  and which one is used by Kerberos... (BTW which one Kerberos as 2 kerberos servers exist in parallel)

Because of this unclear understanding, I can't help but would definitely like to investigate this further.
You are perhaps on the right track. I'll have a look in case I restart my 3.0 platform.

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #6 on: February 15, 2013, 03:37:30 pm »
you are perhaps finger pointing something interesting... but I can't help that much with this as my 3.0 plat-form is currently not running.

Zentyal group membership is based on groupuid and not groupofuniquename, which means that members are identified within groups using their [uid] and not their [DN]. RDN in (Zentyal) LDAP is [uid]. Correlated to this, because of AD constraint, RDN in Samba LDAP is [CN]
I don't really know how synchronization between these 2 LDAP servers works but I suppose UID from Zentyal LDAP synchronizes with CN in Samba LDAP. What's about [Samaccountname]  and which one is used by Kerberos... (BTW which one Kerberos as 2 kerberos servers exist in parallel)

Because of this unclear understanding, I can't help but would definitely like to investigate this further.
You are perhaps on the right track. I'll have a look in case I restart my 3.0 platform.

Not quite sure what all the abbrivations are, but I'm assuming [DN] is Display Name, which I take to be the username that one would log on with.

It seems you're saying there are 2 LDAP/Kerberos services running on a standard Zentyal 3 Server install, and they sync the relevant information between themselves using different data fields representing the user (UID->User Name)?

So that path would be host pc->http request->squid->Kerberos authentication (Which Kerberos?)->DansGuardian with a failure at the authentication phase.

Thanks again for your time replying.

christian

  • Guest
Re: Max number of users in proxy filter groups?
« Reply #7 on: February 15, 2013, 03:42:58 pm »
Sorry for this acronym. I do  not pay enough attention when using it.
DN stands for distinguish name. This is how LDAP uniquely identifies entries, using DIT (Directory Information Tree) and RDN (Relative Distinguish Name) so that each entriy is unique within the branch it's attached to.

For what concerns path and links between Squid, Kerberos(s) and LDAP(s), I can't comment and don't want to perform any reverse engineering. I hope Zentyal will some time issue useful documentation  ;)

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #8 on: February 19, 2013, 09:31:07 am »
Now that I'm at work I've had a quick peek at the logs and I'm quite surpised by what I see, it may be normal or it might point to more useful information.

I looked for denied in the http proxy log under Zentyal Logs (I did check the raw log files they're not so easy to decipher)
here's one example:
2013-02-12 14:34:03 192.168.1.131 ABC20873@ABC-ASTANA.LAN http://www.google.com/favicon.ico google.com 23370 text/html   Denied

Some names renamed for privacy purposes.

So here the user is recognised but denied (there were no rules to deny google.com)

But looking at ones that were accepted has no user listed, even those tests have shown that unknown users were blocked from access!

Even the most recent logs show either no user or show the local IP address, but access is permitted.

If you have any outputs or configuration requests, please let me know. I'll be able to post them on Thursday.


Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #9 on: February 19, 2013, 06:02:43 pm »
Hello Astana,

how many users do you have in the group?.

also which kind of policy is applied, allow, deny or filter?

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #10 on: February 20, 2013, 01:47:36 am »
Hello Astana,

how many users do you have in the group?.

also which kind of policy is applied, allow, deny or filter?

There are 4 user groups at the moment (approx numbers in brackets),
Admin (5),IT(2),Teachers(30) and Students(100)

Originally I had filters for each group, all were filter but with different permissiveness levels set.
Setup was fine until I saw students getting access denied for an unknown reason, so reduced policy to everyone->student.

Log output was from the time different policies were in place.
« Last Edit: February 20, 2013, 01:54:11 am by astana »

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #11 on: February 20, 2013, 04:08:31 pm »
I just checked with a group with 200 users without problems.

- Have you experienced the issue yourself?.
- If not, you know what user names where affected. In that case please, note them down. We can check with a small group containing only those user names
- Finally, you know which browser used the denied users?

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #12 on: February 20, 2013, 04:26:20 pm »
I'm not quite sure what you mean by experienced the issue myself, so will reply to possible interpretations.
My account was not affected (as domain admin and it group).
I saw the student accounts affected 1st hand.
I tried to resolve one student account (as detailed in an earlier post) and the only solution was to use their name rather than the code that all students are using.
We use 3 different browsers, Frontmotion build of FireFox, Chrome and IE. All browsers were being denied access.
I don't have access to all the blocked names, but will post that tomorrow when I am at work.
I would prefer not to list the 1st 3 letters for privacy reasons, but can PM them to you so you can complete the names.

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #13 on: February 20, 2013, 05:08:02 pm »
Yes, by first hand i meant if you have seen yourself.

As for the user names I am looking for some uncommon character, length or something that could cause trouble

astana

  • Zen Warrior
  • ***
  • Posts: 128
  • Karma: +10/-0
    • View Profile
Re: Max number of users in proxy filter groups?
« Reply #14 on: February 20, 2013, 06:04:32 pm »
usernames are 3 letters followed by a 5 digit number e.g. ABC20043, there are around 100 of them, I'll post more details when I have them.