Web Filter with AD groups

loveral76 · October 17, 2019, 2:49pm

Hello everyone, I am having problems with my nethserver server. I am using version 7.6 and it is linked to an active directory implemented on windows server 2008 r2. the link is ok, it brings me groups and users, but in my proxy web the profiles only work with the users and not the groups (when I create profiles using groups it ignores them and uses the default. The user in AD has the group for which I want to filter as main.
Can someone help me with this?

I am doing my tests with the user nethserver created in active directory:

id nethserver
uid=1602201291(nethserver@ferretera.local) gid=1602201293(sininternet@ferretera.local) groups=1602201293(sininternet@ferretera.local),1602200513(usuarios del dominio@ferretera.local)

mrmarkuz · October 18, 2019, 9:51pm

Hi Leonardo,

it seems you hit a bug.
I can reproduce the issue in the new server manager when I use a profile name with a space like “test profile 01”.
In old server manager it’s working and it won’t let you use a profile name with a space.
So it seems the validation in new server manager is not working.

Can you confirm groups working when the profile name has no space?

ruklaw · April 22, 2022, 10:22am

Hello and sorry to bring back an old topic…

I ran into this issue this week (AD group names with spaces not working with filter categories etc).

Basically there is some slightly lazy coding in a couple of places that properly corrected makes this work.

Firstly the file /usr/libexec/nethserver/list-group-members

Find the line:
my $groupName = shift;

Replace with:
my $groupName = join(" ",@ARGV);

And also the file /usr/libexec/nethserver/ufdbguard-list-group-members

Change from this;

use JSON;

my $members = decode_json(`/usr/libexec/nethserver/list-group-members -s $ARGV[0]`);
foreach my $user (@$members) {
    print "$user\n";
}

To this;

use JSON;

my $groupName = join(" ",@ARGV);

my $members = decode_json(`/usr/libexec/nethserver/list-group-members -s $groupName`);
foreach my $user (@$members) {
    print "$user\n";
}

I’m happy to formally submit the changes to the codebase if someone can point me in the right direction.

giacomo · April 22, 2022, 12:33pm

Hi,
thank you for reporting.

Would you mind describe the steps to reproduce?
By the way, if you want to propose a PR, this is the relevant code:

list-group-members: nethserver-sssd/list-group-members at master · NethServer/nethserver-sssd · GitHub
ufdbguard-list-group-members: nethserver-squidguard/ufdbguard-list-group-members at master · NethServer/nethserver-squidguard · GitHub

ruklaw · April 22, 2022, 1:25pm

Sure thing.

I’ve set up an authenticated proxy server with nethserver (7.9.2009)- the nethserver is joined to our AD.

The proxy server is up and running, installed just by stepping through the gui, clients are authenticating as they should with kerberos.

I installed the filtering components, again through the gui.

One thing to note is filtering didn’t actually work until I manually ran this command - a bug? - I’ve had to run it a couple of times subsequently as I’ve created new categories etc.

/usr/sbin/ufdbConvertDB -d /var/squidGuard/blacklists

(A fatal error would show near the bottom of the ufdbguard logs until the command was run)

I set up a couple of categories, the first one applied correctly, the second one didn’t - on investigation I concluded that it didn’t work for group names with spaces in them - if you look at the old posts above you’ll note it is said that the old manager gui wouldn’t let you pick a group with spaces in the name, but the new manager does (arguably a bug).

/var/log/ufdbguard/ufdbguardd.log reports each time that it tries to update the group lists (every 15 minutes) and the number of lines reported should correspond to the number of users in the group, but groups that have spaces in their names always returned 0 lines.

Both the scripts involved in returning the list of members for the group use commands that only return the first argument (shift and $ARGV[0]) - if the group name has spaces in it, this is treated as multiple arguments, so only the first word is processed (so a group named “Internet Disabled” would be matching against a group simply called “Internet”)

The command join(" ",@ARGV) steps through the argument array, putting a space between each element, so recreating the whole group name, spaces and all.

I simply substituted in this command.

Will have a go submitting PR now, haven’t actually used github previously.

ruklaw · April 22, 2022, 1:43pm

Have now submitted pull requests for both scripts with changes detailed above.

Cheers