SQUID 0.4.29_1 +LDAP. authentication problem

hery524

Im using the latest pfsense version 2.3.2-RELEASE-p1 (amd64)  with the latest squid+squidguard release 0.4.29_1

i have configured with previous squid release+ LDAP authentication. and it work like charm before.decided to update to latest release and its running ok for several minutes. the AD authenticate the user and squidguard also working blacklisting the url. after several minutes,  the authentication start to make a problem whereby it keep asking for the authentication and from the log the error 407 is prompted. which i believe it indicate the authentication problem. i didn't  know whether some script/rules has been changed in the background that make the authentication is not working or there is a bug in the latest release for ldap authentication.. can some one guide me to cater these error.. i have tested with squidguard-=OFF. still the same, the browser keep asking the authentication

MY squid.conf
–--------------------------------------------------------------------------------------------------------------

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.0.130:3128
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@local
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 30
debug_options rotate=30
shutdown_lifetime 3 seconds
forwarded_for on
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 1000 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 80 53 443 389 21
acl sslports port 443 563  443

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.0.0/22
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

Custom options before auth

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f '(&(memberOf=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))' -u sAMAccountName -P 192.168.0.133:389
auth_param basic children 5
auth_param basic realm Please enter your Radius credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED

Custom options after auth

http_access allow password allowed_subnets

Default block all to be sure

http_access deny allsrc

---

log from squid

---

1483690613.492      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
1483690619.387    13 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483690694.408      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
1483690699.760      5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483690898.047    12 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483690904.673      5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483691091.631    19 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483692872.978    72 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483692928.361    27 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483693827.151      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html

doktornotor

No, there was nothing changed in the pfSense package regarding LDAP.

hery524

Ty for the confirmation.. Can you sir help me to identify what is the problem with my configuration.. I dont know what could be wrong or where to look to cater this problem

doktornotor

No idea. The authentication either works or does not. Perhaps try bumping the number of authentication processes

hery524

(SOLVED)

Just find a remedy to my problem. Somehow the port 389 is not working with AD (mine is Windows Server 2012 - AD). so change it to 3286 and voila!! the mystery solved.  ;D ;D

but still using the previous squid version the 389 is working, i still dont get why it is not working in the latest version. :-\ :-\ :-\

Anyway credit to the solver.. ;) ;) ;)

https://www.experts-exchange.com/questions/21449783/Problem-using-squid-ldap-auth-against-AD-domain.html

TESTING!!!!

389 is not working

–---------------------------------------------------------------
[2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:389
aduser password
basic_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Operations error
pfsense MYpassword11
basic_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Operations error
^C
–------------------------------------------------------------------

change to 3286

---

[2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:3268
aduser password
OK
pfsense MYpassword11
ERR Success
–-------------------------------------------------------------------

doktornotor

As noted above, noone touched LDAP for ages in the pfSense package. If someone screwed things upstream, it needs to be fixed upstream.

http://bugs.squid-cache.org/index.cgi

Also, there shouldn't be any need to use a GC unless you cannot specify the search domain/OU.