Does Squid support 2020 LDAP channel binding ?

viktor_g · Jan 3, 2020, 5:18 PM

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

Hello, what about SquidGuard ? I use it to block some pages for all users, and by-pass such block for some users from AD group. It will probably face same issue

Nice idea,
I'll check it

viktor_g · Jan 4, 2020, 8:40 AM

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

Hello, what about SquidGuard ? I use it to block some pages for all users, and by-pass such block for some users from AD group. It will probably face same issue, but development of SquidGuard seems to stop

Unfortunately, squidGuard does not support SSL / TLS:
https://fossies.org/linux/www/squidGuard-1.5-beta.tar.gz/squidGuard-1.5-beta/CHANGELOG

CZvacko · Apr 2, 2020, 2:25 PM

Hi, I upgraded pfsense to 2.4.5, then patched squid.inc to PORTREVISION=16 and later to PORTREVISION=17 but have issue to use "SSL-Encypted" transport, while "TCP-standard" works normally. Here is what I did:

switch Authentication Server from IP to FQDN of LDAP server (to match certificates)
set Authentication server port to 636
set Transport to SSL-Encypted
added certificates at the end of /usr/local/share/certs/ca-root-nss.crt
reboot

But user still cannot be verified by LDAP server (webbrowser still asking for credentials)

Debug I did:
a) command openssl s_client -connect ldap.our.company:636 finish as Verify return code: 0 (ok)
b) packet capture of LDAP IP show some cummunication (port opened ok on LDAP server)
c) /var/squid/logs/cache.log shows: basic_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' - this indicate some issue.

Also, colleague mentioned stripntdomain should be false - in log is true, not sure about it.
What to do now ?

viktor_g · Apr 2, 2020, 4:24 PM

@CZvacko
Did it work on 2.4.4-p3?
Have you checked this in the lastest 2.5 snapshot?

default OpenSSL trust store is '/etc/ssl/certs'
filenames must use <HASH>.0 file format, i.e.:
'/etc/ssl/certs/7fea9b91.0'

to get hash value:
'openssl x509 -hash -noout -in mycacert.crt'

CZvacko · Apr 3, 2020, 9:35 AM

In 2.4.4-p3 there was not such functionality in Squid, its new feature.
Didn't tried in 2.5, using stable branch only.

Tried to copy certificates base on your instructions, but issue persist.
Debug d) LDAP server owner (running in different place) show me AD log which says:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client.
Error value: 2148074289 The client and server cannot communicate, because they do not possess a common algorithm.

viktor_g · Apr 3, 2020, 11:04 AM

@CZvacko can you check this: https://forum.netgate.com/topic/145578/ldaps-ad-bind/18 ?
The command isn't correct, you cannot use -h host -p 636, as simply selecting a different port won't make ldapsearch use SSL, I know, its silly, but you really need to use -H "ldaps://host:636".

if -H "ldaps://host:636" works OK, I'll create fix

CZvacko · Apr 3, 2020, 1:37 PM

That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?

I can try what you mention, but what command I should run ?

viktor_g · Apr 3, 2020, 1:37 PM

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?

I can try what you mention, but what command I should run ?

Open /usr/local/etc/squid/squid.conf in a text editor,
remove server option (like '192.168.1.4:636'),
and add ldap URI option (like -H 'ldaps://192.168.1.4:636')

then restart squid service: service squid.sh restart
and check authentication

CZvacko · Apr 3, 2020, 2:07 PM

Hi, now it seems to be ok.

viktor_g · Apr 3, 2020, 2:34 PM

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

Hi, now it seems to be ok.

Successfully?
I'll create squid package fix

viktor_g · Apr 3, 2020, 4:46 PM

Successfully tested,
https://redmine.pfsense.org/issues/10422

Soon in the new version of Squid package

CZvacko · Jun 3, 2020, 1:44 PM

Concerning Squidquard, when LDAP channel binding become forced by AD server, I will probably have to abandon it. But I just got some idea:

Is it possible to use some kind of "mixed authentication" like Squid user Authenticated by LDAP but Squidquard user list will be defined as string in Group ACL > "Client (source)" ? [currently I have there Ldap search expression]

Because in log of both Squid and Squidquard I can see simple user_name, if pfsense "pair" this usernames internally just by string, then mixed mode can work ??

CZvacko · Jul 8, 2020, 2:31 PM

Hi, I tried to use mixed mode and it works as expected (including LightSquid).