Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Auth using LDAPs (pfSense 2.3.2-RELEASE-p1)

    Cache/Proxy
    2
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      juaromu
      last edited by

      Hi:

      Just came across an issue enabling LDAPs for Squid authentication against AD.

      Just to clarify, no cert issue, which apparently it's the most frequent source of problems when activating this.

      So, after you configure all settings from the web-gui, the squid.conf file looks like this (only relevant config shown here):

      auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b "CN=Users,DC=myDomain,DC=com" -D user@myDomain.com -w password -f "userPrincipalName=%s" -u userPrincipalName -P winentserver.mydomain.com:636

      (In bold relevant part, more abt this later)

      Now, since it wasn't working, I went over to /usr/local/libexec/squid and ran the library but with following parameters:

      /usr/local/libexec/squid/basic_ldap_auth -v 3 -b "CN=Users,DC=myDomain,DC=com" -D user@myDomain.com -w password -f "userPrincipalName=%s" -u userPrincipalName -P winentserver.mydomain.com -p 636

      After executing the library and typing a user/pwd combination part of the Users' group on AD, got the OK for the authentication. Sniffer running on the DC also showed the whole transaction, looking fine.

      Manually edited the squid.conf file and changed the config line, as per successful execution, restarted squid service from web-gui and authenticated access started to work.

      Problem is that if you restart pfSense box, the squid.conf file is overwritten (in the winentserver.mydomain.com:636 format again) and authentication fails again.

      Is this a bug related to the way the pfSense config process writes the squid.conf file?
      I'm using Win2008 R2 as DC, maybe the hostname:636 format is valid for other versions of Windows Server but not for this one?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • S
        sichent Banned
        last edited by

        You do realize the traffic from browser to Squid is still not encrypted right?

        1 Reply Last reply Reply Quote 0
        • J
          juaromu
          last edited by

          Alright, solution for this, in case anyone needs it, is to edit /usr/local/pkg/squid.inc:

          Go to section:

          // Set up the external authentication programs

          There's a switch function there, go to the LDAP section and modify the $port variable assignment to look like this:

          $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

          In bold the -p oprion I believe is missing in the original .inc file.

          As a matter of facts, right below LDAP auth options, come RADIUS options and there the "-p" is present:

          case 'radius':
          $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

          Cheers.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.