eduloco
(usa CentOS)
Enviado em 14/09/2009 - 11:40h
Olá.
Estou com dois grandes problemas, e queria pedir a colaboração de quem puder me ajudar neste assunto.
Eu ADORO Linux, mas ainda estou iniciando neste mundo! =D
Seguinte... eu tenho um servidor de internet aqui na empresa com o CENTOS4 instalado. Nele rodam o Squid, Iptables e o Sarg (não fui eu quem configurou, e não tenho mais o contato de quem fez O.O).
Tudo funcionava muito bem quando meu servidor Windows de AD era Windows Server 2003 e meu squid autenticava os usuários via NTLM (o squid puxava a senha do usuário do domínio logo no logon, e não pedia senha p\ a utilização de internet, e eu conseguia configurar bloqueios por usuário).
No final de semana passado, migramos o servidor p\ outro com Windows Server 2008, onde meus problemas começaram. Descobri que ele não aceita autenticação NTLM (não sei se é verdade, li na internet... se alguém souber como fazer funcionar com este protocolo eu ficaria muito grato!), então comecei a estudar um outro meio, o via LDAP. Ok, consegui fazer uma linha de código onde eu uso o administrador para autentricar os usuários e funciona. O problema é que toda vez que o usuário abre o IE, por exemplo, aparece uma janela de autenticação para ele colocar o login e senha. Se o Usuário colocar o login e senha vai, porém eu descobri que se ele mudar a senha funciona com as duas (depois de mais ou menos um dia que não funciona mais a senha antiga). O primeiro problema é esse, eu queria que a autenticação fosse automática assim como era com o NTLM (o cara loga e já autentica), e o segundo, é que eu libero alguns sites (como o Hotmail) para alguns usuários apenas, e, pela autenticação NTLM, a linha ficava assim:
acl usuario_hotmail proxy_auth multialloy\pierrecruz
Com esta autenticação LDAP parece que ele não reconhece este comando, onde este usuário (pierrecruz), por exemplo, não consegue abrir o site do Hotmail (dá acesso negado). Eu queria saber como fazer p\ autenticar agora os usuários e liberar sites exclusivos usando o AD e LDAP e se possível com autenticação automática como era antes com o NTLM.
Muito obrigado pela paciência de ler meu problema! Espero que alguém consiga me ajudar, pois estou sendo pressionado a mudar p\ o Winroute... e eu queria continuar com o Linux!
Segue o meu squd.conf abaixo!
Um abraço!
Eduardo.
hierarchy_stoplist cgi-bin ?OC
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
http_port 8080
http_port 7618
visible_hostname squid
cache_mem 128 MB
cache_dir ufs /var/spool/squid 5000 16 1024
##########################################
# Autenticacao NTLM – FUNCIONAVA NO MEU ANTIGO WINDOWS SERVER 2003, MAS NÃO FUNCIONA COM O 2008, ELE FICA PEDINDO SENHA E NÃO CONSEGUE AUTENTICAR
#auth_param ntlm program /usr/lib/squid/ntlm_auth MULTIALLOY/server
#auth_param ntlm children 50
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param basic children 50
#auth_param basic realm Digite o nome de usuario e senha para acesso a internet – ELE NÃO PEDIA SENHA; ERA AUTOMÁTICO COM O LOGIN.
#auth_param basic program /admin/squid/smb_auth/smb_auth -W MULTIALLOY -d
#auth_param basic program /usr/lib/squid/ntlm_auth MULTIALLOY/server
##auth_param basic program /usr/lib/squid/ncsa_auth /admin/squid/squid.passwd
#auth_param basic credentialsttl 15 minute
#########################################
# Autenticacao LDAP SERVER 2008 – FUNCIONA MAS PEDE SENHA SEMPRE QUE ABRO O IE, EU QUERIA QUE SE INTEGRASSE COM O LOGON DO USUÁRIO.
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=multialloy,dc=local" -D "cn=Administrador,cn=Users,dc=multialloy,dc=local" -w "SENHAADMIN" -f sAMAccountName=%s -h 10.0.0.3
#external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc="multialloy,dc=local" -D "cn=Administrador,cn=Users,dc=multialloy,dc=local" -w " SENHAADMIN " -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Organizacao,dc=multialloy,dc=local))" -h 10.0.0.3
auth_param basic realm Multialloy #(Não funciona, o título da janela fica o ip do Server squid)
auth_param basic children 5
auth_param basic credentialsttl 30 minutes
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 88 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 8080 # http
acl Safe_ports port 9100 # impressora
acl Safe_ports port 809 # site do sptrans
acl Safe_ports port 37521 # software IBM
acl CONNECT method CONNECT
acl speedyport port 86
acl speedysite dst 200.171.222.97
acl negado_horario_servico dstdomain "/admin/squid/acl_usuarios/negado_horario_servico.txt"
acl excessoes dstdomain "/admin/squid/excessoes.txt"
acl url_bom dstdomain "/admin/squid/urlbom.txt"
acl site_quente urlpath_regex "/admin/squid/sitequente.txt"
acl palavra_quente url_regex "/admin/squid/palavraquente.txt"
acl url_quente dstdomain "/admin/squid/urlquente.txt"
acl extensoes urlpath_regex "/admin/squid/extensoes.txt"
#TESTE LDAP
###########
#acl passwd proxy_auth REQUIRED – Um teste que eu fiz que não funcionou...
###########
# SERVER 2008
#acl ldap-auth proxy_auth REQUIRED – Outro teste frustado...
#acl seminternet proxy_auth_regex -i "/admin/squid/acl_usuarios/seminternet.txt"
#acl semana time SMTWHFA 00:00-23:59
#######################################################################################
# Usuarios com restricao total em horario de trabalho
# O login ESTOQUE nao tem acesso nem na hora do almoco
#######################################################################################
acl descanso time SA 00:00-23:59
acl descanso time MTWHF 00:01-08:15 11:30-13:30 15:00-15:15 17:30-23:59
#acl usuarios_restritos proxy_auth_regex -i "/admin/squid/usuarios_restritos.txt"
acl usuarios_restritos proxy_auth -i "/admin/squid/usuarios_restritos.txt"
acl usuarios_restritos_estoque proxy_auth -i "/admin/squid/usuarios_restritos_estoque.txt"
acl sites_nao_restritos dstdomain "/admin/squid/sites_nao_restritos.txt"
http_access deny usuarios_restritos !sites_nao_restritos !descanso
http_access deny usuarios_restritos_estoque !sites_nao_restritos
#http_access deny usuarios_restritos !sites_nao_restritos
#######################################################################################
http_access allow excessoes
# Teste
#acl usuario_bancos proxy_auth multialloy\edson
#acl bancos url_regex "/admin/squid/bancos.txt"
#http_access allow bancos usuario_bancos
#http_access deny !bancos usuario_bancos
#######################################################################################
# Usuarios com acesso ao MSN, Hotmail, Messenger
#######################################################################################
acl usuario_hotmail proxy_auth edson\edson
acl usuario_hotmail proxy_auth multialloy\anapaula
acl usuario_hotmail proxy_auth multialloy\Afonsosouza
acl usuario_hotmail proxy_auth multialloy\pierrecruz
acl url_hotmail dstdomain "/admin/squid/hotmail.txt"
http_access allow usuario_hotmail url_hotmail
http_access deny !usuario_hotmail url_hotmail
#dentro deste “Hotmail.txt”, contém as url’s do Hotmail, MSN, Windows lve...
#Queria saber como autenticar estes caras acima agora, pois o MSN aqui da empresa só é liberado p\ eles, onde o site do Hotmail tem de estar livre, mas pelo método acima de integração com o AD só funcionava com o Windows Server 2003... já com o 2008 estou apanhando... ele não reconhece este parâmetro “multialloy\edson”
#######################################################################################
#######################################################################################
# Usuarios com acesso ao Gmail
#######################################################################################
acl usuario_gmail proxy_auth multialloy\edson
acl url_gmail dstdomain "/admin/squid/gmail.txt"
http_access allow usuario_gmail url_gmail
http_access deny !usuario_gmail url_gmail
#######################################################################################
#######################################################################################
# Usuarios com acesso ao ORKUT
#######################################################################################
acl usuario_orkut proxy_auth edson\edson
acl url_orkut dstdomain "/admin/squid/orkut.txt"
http_access allow usuario_orkut url_orkut
http_access deny !usuario_orkut url_orkut
#######################################################################################
#######################################################################################
# Usuarios com WebMail do IG
#######################################################################################
acl usuario_webmailig proxy_auth multialloy\edson
acl url_webmailig dstdomain "/admin/squid/webmailig.txt"
http_access allow usuario_webmailig url_webmailig
http_access deny !usuario_webmailig url_webmailig
#######################################################################################
#######################################################################################
# Usuarios com WebMail do Yahoo
#######################################################################################
#acl usuario_webmailyahoo proxy_auth multialloy\edson
acl url_webmailyahoo dstdomain "/admin/squid/mailyahoo.txt"
#http_access deny usuario_webmailyahoo !usuario_webmailyahoo !descanso
http_access allow usuario_webmailyahoo url_webmailyahoo
http_access deny !usuario_webmailyahoo url_webmailyahoo
#######################################################################################
# Usuarios com acesso ao IG
#######################################################################################
acl usuario_ig proxy_auth multialloy\edson
acl url_ig dstdomain "/admin/squid/mailig.txt"
http_access allow usuario_ig url_ig
http_access deny !usuario_ig url_ig
#######################################################################################
# Usuarios com WebMail do Terra
#######################################################################################
#acl usuario_webmailterra proxy_auth edson\edson
acl url_webmailterra dstdomain "/admin/squid/mailterra.txt"
http_access allow usuario_webmailterra url_webmailterra
http_access deny !usuario_webmailterra url_webmailterra
#######################################################################################
http_access allow speedyport speedysite
http_access allow manager localhost
http_access deny manager
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access deny palavra_quente !url_bom
http_access deny site_quente !url_bom
http_access deny url_quente !url_bom
http_access deny extensoes
#http_access deny seminternet
http_access allow passwd
#http_access allow semana
http_access deny all
http_reply_access allow all
icp_access allow all
cache_log /var/log/squid/cache.log
#debug_options ALL,9
logfile_rotate 5
cachemgr_passwd adminsquid all
icon_directory /usr/share/squid/icons
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/cache/squid
ie_refresh on