Squid Proxy with ldap Authentication
-
I am setting up a pfsense firewall with a squid3 proxy. I am looking to authenticate against an openldap server using the starttls option. The server does not allow authentication or binds to be performed unless ssl or starttls is used.
I do not see an option in the squid setting page to set these options - or to specify a CA to use for building the trust relationship.
Is there an option I am overlooking, or is this set some place else (cli maybe?)
Thanks
-
So I was able to make this work:
-
scp Root Cert to pfsense (I sent it to /opt/ca.pem)
-
Edit squid.inc file, and add -ZZ option to the command (note: option requires version 3)
The -ZZ option specifies to use startTLS
File: /usr/local/pkg/squid.inc (search file for appropriate line)
From ->$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n";To ->
$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -ZZ -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n";- Edit squid.conf with same option:
File: /usr/pbi/squid-amd64/local/etc/squid/squid.conf (search file for appropriate line)
From ->
auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389To ->
auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -ZZ -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:3894. Edit ldap.conf file to point to ca.pem like:
File:/usr/pbi/squid-amd64/local/etc/openldap/ldap.conf# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /opt/ca.pem TLS_REQCERT allowWith all this being said - my concern is that these changes will be overwritten at some point due to an update, reboot, restart, ect. What is the preferred method for adding changes/options that are not directly supported via the GUI?
If all possible I would prefer to do this via the GUI (still hoping I missed the option) - I would like to stay away from these kind of customizations as much as possible.
-
-
This going to sounds odd - but on the Squid Local Cache tab, at the bottom of the pager is a section labelled Dynamic and Update Content.
In that section is a text box "Custom refresh_patterns"
Apparently, there are a lot of options that can be passed here - I know I've passed log directives to change to combined and pipe it through syslog_ng.
Quite possible that your code could be passed here, and it does survive reboots and (so far) upgrades.