Setup for Active Directory Integration

[Ralph S.]

Hi again,

I'm trying to get an instance of e2guardian with squid setup to automatically authenticate a user logged into their PC with AD credentials. From what I read, I'm pretty sure this would be NTLM, and I've gotten it so if I point the client at squid, they authenticate, but if I point it at e2guardian, I get a "Proxy Authentication Error". Any idea on what I'm doing wrong or missing? 

So far I've got the upstream set in e2guardian.conf to port 1328 (Squid http bind port), and I've enabled the nltm auth plugin in both squid and e2guardian.con

Versions:
e2guardian: 5.4.2r

squid: 4.10

OS: Ubuntu 20.04.2

Client: Windows 10 Pro 20H2

DC: Samba AD Server: 4.13.5
Winbind: 4.13.5

[Renato C. Pacheco]

Hi Ralph,

In the last few months ago, I faced the same situation: by enabling NTLM in e2guardian, many sites didn't authenticate user's requests with "Proxy Authentication Error". I only could fix that puting squid authenticating first (in front of e2guardian) and forwarding all requests authenticated to e2guardian. In that way, this error doesn't appear anymore. If you want my confs (squid.conf and e2guardian.conf), I send them to you privately.

Best regards,

--
Renato Carneiro Pacheco

Security Analyst

http://br.linkedin.com/in/renatocarneirop

http://www.facebook.com/renatocarneirop

"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/ade0cb94-e4b8-41ff-a852-ceff4640f2b8n%40googlegroups.com.

[Ralph S.]

Hi Renato,

That would be appreciated!

Ralph

[Ralph S.]

Seems you can't actually reply directly to me, so I'll share my email:
blackbi...@gmail.com

On Thursday, March 18, 2021 at 2:25:17 PM UTC-4 renato....@gmail.com wrote:

[Klaus Gundermann]

Hi Renato,

could you send me the config files too, so I may create a chapter in the documentation handling the NTLM authentication ?

Best regards

Klaus

[FredB]

ICAP mode should be also a valid option, I guess
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

[Ralph S.]

Could you elaborate Fred?

[FredB]

With ICAP, filtering is delegate to e2 but requests are not through in.
E2guardian is totally unaware about identification method, squid just sends URL, IP, ID, etc and E2 answers yes/no

[FredB]

A picture is worth a thousand words 🙂

https://s1.qwant.com/thumbr/0x0/1/4/eac1fe1c85f6370873b30d82c4bb21ba5a15390362aae9d01522263f342668/ICAP1.png?u=https%3A%2F%2Fwww.myapollo.com.tw%2Fimages%2FICAP-RFC3507%2FICAP1.png&q=0&b=1&p=0&a=1

[Ralph S.]

Oh I see, well would any sort of content filtering still work on E2Guardian whilst utilizing ICAP with Squid?

[Andy Duandy]

Bom dia Renato!

Se puder me ajudar enviando o squid.conf e e2guardian.conf para mim, estou encontrando a mesma dificuldade.

Obrigado.

Andy Duandy