Does Squid support 2020 LDAP channel binding ?

viktor_g

@CZvacko
Did it work on 2.4.4-p3?
Have you checked this in the lastest 2.5 snapshot?

default OpenSSL trust store is '/etc/ssl/certs'
filenames must use <HASH>.0 file format, i.e.:
'/etc/ssl/certs/7fea9b91.0'

to get hash value:
'openssl x509 -hash -noout -in mycacert.crt'

CZvacko

In 2.4.4-p3 there was not such functionality in Squid, its new feature.
Didn't tried in 2.5, using stable branch only.

Tried to copy certificates base on your instructions, but issue persist.
Debug d) LDAP server owner (running in different place) show me AD log which says:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client.
Error value: 2148074289 The client and server cannot communicate, because they do not possess a common algorithm.

viktor_g

@CZvacko can you check this: https://forum.netgate.com/topic/145578/ldaps-ad-bind/18 ?
The command isn't correct, you cannot use -h host -p 636, as simply selecting a different port won't make ldapsearch use SSL, I know, its silly, but you really need to use -H "ldaps://host:636".

if -H "ldaps://host:636" works OK, I'll create fix

CZvacko

That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?

I can try what you mention, but what command I should run ?

viktor_g

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?

I can try what you mention, but what command I should run ?

Open /usr/local/etc/squid/squid.conf in a text editor,
remove server option (like '192.168.1.4:636'),
and add ldap URI option (like -H 'ldaps://192.168.1.4:636')

then restart squid service: service squid.sh restart
and check authentication

CZvacko

Hi, now it seems to be ok.

viktor_g

@CZvacko said in Does Squid support 2020 LDAP channel binding ?:

Hi, now it seems to be ok.

Successfully?
I'll create squid package fix

viktor_g

Successfully tested,
https://redmine.pfsense.org/issues/10422

Soon in the new version of Squid package

CZvacko

Concerning Squidquard, when LDAP channel binding become forced by AD server, I will probably have to abandon it. But I just got some idea:

Is it possible to use some kind of "mixed authentication" like Squid user Authenticated by LDAP but Squidquard user list will be defined as string in Group ACL > "Client (source)" ? [currently I have there Ldap search expression]

Because in log of both Squid and Squidquard I can see simple user_name, if pfsense "pair" this usernames internally just by string, then mixed mode can work ??

CZvacko

Hi, I tried to use mixed mode and it works as expected (including LightSquid).