I've found an issue where dansguardian when checking against Active Directory groups would fail to assign the correct user-group mapping if the ntlm username did not come through as lowercase.
Rebuilding the dansguardian-av package after modifying the following section of the patch dansguardian-system-group.patch [attached] fixed this issue:
@@ -70,6 +74,61 @@ int AuthPlugin::determineGroup(std::stri
if (user.length() < 1 || user == "-") {
return DGAUTH_NOMATCH;
}
+
+ if (o.use_filter_system_groups == false) {
+ return this->determineFilterGroup(user, fg);
+ }
+
+ return this->determineSystemGroup(user, fg);
+}
+
+int AuthPlugin::determineSystemGroup(std::string &user, int &fg)
+{
+ struct group * grpinfo;
+
+ String u(user);
+ u.toLower(); // since the filtergroupslist is read in in lowercase, we should do this.
+ user = u.toCharArray(); // also pass back to ConnectionHandler, so appears lowercase in logs
+
+ /* Invalid user = default group. We rely on Squid to
+ * make sure user exists and is authenticated. */
+ if (getpwnam(user.c_str()) == NULL)
+ return DGAUTH_NOUSER;
Rebuilding the dansguardian-av package after modifying the following section of the patch dansguardian-system-group.patch [attached] fixed this issue:
@@ -70,6 +74,61 @@ int AuthPlugin::determineGroup(std::stri
if (user.length() < 1 || user == "-") {
return DGAUTH_NOMATCH;
}
+
+ if (o.use_filter_system_groups == false) {
+ return this->determineFilterGroup(user, fg);
+ }
+
+ return this->determineSystemGroup(user, fg);
+}
+
+int AuthPlugin::determineSystemGroup(std::string &user, int &fg)
+{
+ struct group * grpinfo;
+
+ String u(user);
+ u.toLower(); // since the filtergroupslist is read in in lowercase, we should do this.
+ user = u.toCharArray(); // also pass back to ConnectionHandler, so appears lowercase in logs
+
+ /* Invalid user = default group. We rely on Squid to
+ * make sure user exists and is authenticated. */
+ if (getpwnam(user.c_str()) == NULL)
+ return DGAUTH_NOUSER;
Share this post:
Responses (9)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
@Nick
it worked perfectly.
Using a packet analyzer I see:
[client IP] [Proxy IP] HTTP 891 CONNECT sapb1c.unidata.it:443 HTTP/1.1 , NTLMSSP_AUTH, User: [DOMAIN]]\FabioC
(please note username has both Caps and Lowercase).
[Proxy IP] [client IP] HTTP 93 HTTP/1.1 200 Connection established
In dansguardian access.log i see:
2019.5.4 23:13:05 fabioc [client IP] https://sapb1c.unidata.it:443 CONNECT 37087 0 2 200 - unrestricted -
I will test more during next days, if I'll notice something strange I will give feedback. -
Accepted Answer
@Fabio,
I've made a patched version of dansguardian-av for you to test. It is currently sync'ing to the mirrors. To install it do a:
You need dansguardian-av-2.10.1.1-14.v7. If you get dansguardian-av-2.10.1.1-13.v7 then it only contains the cache cleardown patch and not yours. You may have to wait for up to a couple of hours for the mirrors to sync.yum update dansguardian-av --enablerepo=clearos-updates-testing
Please can you give us feedback, whether it works or not?
If it breaks anything, just do a:
and it should revert to your current version.yum downgrade dansguardian-av
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Submitted bug report against this.
https://gitlab.com/clearos/clearfoundation/dansguardian-av/issues/3 -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »