Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP authentication does not work on port 636

    Scheduled Pinned Locked Moved Cache/Proxy
    8 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      playerum
      last edited by

      Hello!

      I configured LDAP authentication through port 636, but it did not work.
      On the LDAP server the message is "TLS negotiation failure"

      So I did some testing with "/usr/local/libexec/squid/basic_ldap_auth" and saw that if I use the "-p" parameter or separate the authentication server address from the port, authentication works.

      Does not work (from squid.conf)

      ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local:636
      

      Works!

      ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local -p 636
      

      OR

      ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local 636
      

      Since it is not recommended to make the changes directly in squid.conf, can anyone give a hint how to solve this problem?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I would guess there is logic in basic_ldap_auth that says a hostname:636 is treated as TLS and hostname -p 636 is just a manual port on a regular connection.

        Traditionally, port 389 is unencrypted and a connection to 636 expects immediate TLS negotiation. If you are running on port 636 without proper TLS set up I would expect you would have problems.

        Modern directories should just listen on 389 and use STARTTLS to negotiate encryption.

        Similar information that I found here:

        http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ldap-ssl-Secure-authentication-td1043303.html

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          playerum
          last edited by

          Hi Derelict,

          Thanks for your help.

          I did some tests based on what you said and on the link information.

          It works with ldaps:// before de address, it means that the conenctions is encrypted and the directory is set correctly, is that right?
          We use OpenLDAP (openldap-ltb-2.4).

          Is there anything else i can test?

          ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636
          
          
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What are your actual settings in squid?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              playerum
              last edited by

              Hi,
              Follows attached.

              squid.conf.txt

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                No. The configuration in the GUI.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  playerum
                  last edited by

                  Hi,
                  Follows ss from Proxy Server General and Authentication.

                  Package_Proxy_Server_General_Settings_General_-_2017-08-10.gif
                  Package_Proxy_Server_General_Settings_General_-_2017-08-10.gif_thumb
                  Package_Proxy_Server_Authentication_Authentication_-_2017-08-10.gif
                  Package_Proxy_Server_Authentication_Authentication_-_2017-08-10.gif_thumb

                  1 Reply Last reply Reply Quote 0
                  • P
                    playerum
                    last edited by

                    Hi,
                    I put the ldaps:// in the command below, tested and it worked, as mentioned above …

                    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636
                    

                    But when I make the change in squid.conf and run "squid -k reconfigure", the authentication fails.
                    I added the CA certificate through Cert. Manager, what could be wrong?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.