Hi:
First my congratulations for your awesome software.
I'm a new user of Zentyal but a regular user of Squid Proxy and Dansguardian.
I've installed a Zentyal Box with Zentyal 2.0 to be a Proxy Cache validating the users, passwords and groups with an Active Directory on a Windows 2008 Server.
To configure Zentyal I've followed the Official Documentation Page from
www.zentyal.org.
I was trying to solve this problem looking on this forum and googling without success.
Problem 1. I've a problem with AD Sync, maybe for the regional language coding. I've saw some errors in the ebox log (/var/log/ebox/ebox.log):
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Controladores de dominio de sólo lectura,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Propietarios del creador de directivas de grupo,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Admins. del dominio,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Publicadores de certificados,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Administradores de empresas,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Administradores de esquema,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] can't get userPrincipalName for CN=Controladores de dominio,CN=Users,DC=DOMAIN,DC=COM.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] Adding new group Enterprise Domain Controllers de sólo lectura
2010/12/12 20:05:03 DEBUG> UsersAndGroups.pm:1489 EBox::UsersAndGroups::addGroup - group name inválido, valor: Enterprise Domain Controllers de sólo lectura.
2010/12/12 20:05:03 WARN> ebox-ad-sync:104 main::__ANON__ - [ad-sync] Error adding group 'Enterprise Domain Controllers de sólo lectura'.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] Adding new group Grupo de replicación de contraseña RODC permitida
2010/12/12 20:05:03 DEBUG> UsersAndGroups.pm:1489 EBox::UsersAndGroups::addGroup - group name inválido, valor: Grupo de replicación de contraseña RODC permitida.
2010/12/12 20:05:03 WARN> ebox-ad-sync:104 main::__ANON__ - [ad-sync] Error adding group 'Grupo de replicación de contraseña RODC permitida'.
2010/12/12 20:05:03 DEBUG> ebox-ad-sync:330 main::logIfDebug - [ad-sync] Adding new group Grupo de acceso de autorización de Windows
2010/12/12 20:05:03 DEBUG> UsersAndGroups.pm:1489 EBox::UsersAndGroups::addGroup - group name inválido, valor: Grupo de acceso de autorización de Windows.
2010/12/12 20:05:03 WARN> ebox-ad-sync:104 main::__ANON__ - [ad-sync] Error adding group 'Grupo de acceso de autorización de Windows'.
However I can see the users and the rest of groups in the Users and Groups sections.
And this problem may be the cause of the second problem:
Problem 2. Proxy filtering does not work.
The proxy without filtering is working fine, but with filtering not. I've configured the Proxy with transparent option unchecked, so I've configured each browser to connecting through Zentyal Proxy.
I've configure the default Filter Profile to deny youtube.com to test the filtering:
But it not work.
Issue: Because the AD Sync is not fully sucessfull; I can not use the local LDAP authentication
, so I've made some changes into the /usr/share/ebox/stubs/squid/squid.conf.mas
# <EBOX> TAG_ACL #
#auth_param basic realm Zentyal HTTP proxy
#auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b ou=Users,<% $dn %> -u uid -h ldap://127.0.0.1:<% $ldapport %>
#auth_param ntlm program /usr/lib/squid/ntlm_auth -b -d lira.datos/srv-datos
#auth_param ntlm children 50
auth_param basic realm Internet - Acceso Restringido
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=domain,dc=com" -D "cn=proxyadsync,cn=Users,dc=domain,dc=com" -w "mypassword" -f sAMAccountName=%s -h 192.168.1.1 -v 2
If I use the default LDAP configuration; I can't login; with the last 2 lines, I can login with any AD User.
I've look at the squid.conf, dansguardian.conf, dansguardianNf.conf and I dont see any configuration that indicate the filtering option through dansguardian.
I believe that the dansguardian configuration was not included into the squid config file because the Zentyal framework can not validate the AD Users and Groups:
<%def .globalGroupsAccess>
<%args>
@groupsPolicies
</%args>
% return if (@groupsPolicies == 0);
%# if we use global group policies we must force always the authorization first
http_access allow authorized all
% foreach my $groupPol (@groupsPolicies) {
% my $group = $groupPol->{'group'};
% my $groupAcl = _aclName($group);
% my $timeAcls = _timeAclsInPolicy($groupPol, $group);
% my $allowPolicy = $groupPol->{'allow'};
% if ($allowPolicy) {
http_access allow <% $timeAcls %> <% $groupAcl %>
% }
% if ((not $allowPolicy) or $timeAcls ) {
# in case of allow + time acl we have to deny otherwise
# outsde of the time period we will slip to defualt policy
http_access deny <% $groupAcl %> all
% }
% }
</%def>
I belive that; because the ObjectsPolicies are implemented into the squid config file.
What's wrong in my configuration? How Zentyal implements the filtering between squid proxy and dansguardian? How I can debug the config parsing?
I'll appreciate your help.
Thanks in advance.
Regards
Topic: Proxy and Active Directory Sync Problem. Filtering not working (Read 4499 times)