Squid Auth using LDAPs (pfSense 2.3.2-RELEASE-p1)



  • Hi:

    Just came across an issue enabling LDAPs for Squid authentication against AD.

    Just to clarify, no cert issue, which apparently it's the most frequent source of problems when activating this.

    So, after you configure all settings from the web-gui, the squid.conf file looks like this (only relevant config shown here):

    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b "CN=Users,DC=myDomain,DC=com" -D user@myDomain.com -w password -f "userPrincipalName=%s" -u userPrincipalName -P winentserver.mydomain.com:636

    (In bold relevant part, more abt this later)

    Now, since it wasn't working, I went over to /usr/local/libexec/squid and ran the library but with following parameters:

    /usr/local/libexec/squid/basic_ldap_auth -v 3 -b "CN=Users,DC=myDomain,DC=com" -D user@myDomain.com -w password -f "userPrincipalName=%s" -u userPrincipalName -P winentserver.mydomain.com -p 636

    After executing the library and typing a user/pwd combination part of the Users' group on AD, got the OK for the authentication. Sniffer running on the DC also showed the whole transaction, looking fine.

    Manually edited the squid.conf file and changed the config line, as per successful execution, restarted squid service from web-gui and authenticated access started to work.

    Problem is that if you restart pfSense box, the squid.conf file is overwritten (in the winentserver.mydomain.com:636 format again) and authentication fails again.

    Is this a bug related to the way the pfSense config process writes the squid.conf file?
    I'm using Win2008 R2 as DC, maybe the hostname:636 format is valid for other versions of Windows Server but not for this one?

    Thanks!


  • Banned

    You do realize the traffic from browser to Squid is still not encrypted right?



  • Alright, solution for this, in case anyone needs it, is to edit /usr/local/pkg/squid.inc:

    Go to section:

    // Set up the external authentication programs

    There's a switch function there, go to the LDAP section and modify the $port variable assignment to look like this:

    $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

    In bold the -p oprion I believe is missing in the original .inc file.

    As a matter of facts, right below LDAP auth options, come RADIUS options and there the "-p" is present:

    case 'radius':
    $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');

    Cheers.