SQUID 0.4.29_1 +LDAP. authentication problem



  • Im using the latest pfsense version 2.3.2-RELEASE-p1 (amd64)  with the latest squid+squidguard release 0.4.29_1

    i have configured with previous squid release+ LDAP authentication. and it work like charm before.decided to update to latest release and its running ok for several minutes. the AD authenticate the user and squidguard also working blacklisting the url. after several minutes,  the authentication start to make a problem whereby it keep asking for the authentication and from the log the error 407 is prompted. which i believe it indicate the authentication problem. i didn't  know whether some script/rules has been changed in the background that make the authentication is not working or there is a bug in the latest release for ldap authentication.. can some one guide me to cater these error.. i have tested with squidguard-=OFF. still the same, the browser keep asking the authentication

    MY squid.conf
    –--------------------------------------------------------------------------------------------------------------

    This file is automatically generated by pfSense

    Do not edit manually !

    http_port 192.168.0.130:3128
    icp_port 0
    dns_v4_first on
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@local
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger

    logfile_rotate 30
    debug_options rotate=30
    shutdown_lifetime 3 seconds
    forwarded_for on
    httpd_suppress_version_string on
    uri_whitespace strip

    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic

    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    cache_dir ufs /var/squid/cache 1000 16 256
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all

    Add any of your own refresh_pattern entries above these.

    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    refresh_pattern .    0  20%  4320

    #Remote proxies

    Setup some default acls

    From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

    acl localhost src 127.0.0.1/32

    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 80 53 443 389 21
    acl sslports port 443 563  443

    From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

    #acl manager proto cache_object

    acl purge method PURGE
    acl connect method CONNECT

    Define protocols used for redirects

    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src 192.168.0.0/22
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    From 3.2 further configuration cleanups have been done to make things easier and safer.

    The manager, localhost, and to_localhost ACL definitions are now built-in.

    http_access allow localhost

    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc

    Reverse Proxy settings

    Custom options before auth

    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f '(&(memberOf=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))' -u sAMAccountName -P 192.168.0.133:389
    auth_param basic children 5
    auth_param basic realm Please enter your Radius credentials to access the proxy
    auth_param basic credentialsttl 5 minutes
    acl password proxy_auth REQUIRED

    Custom options after auth

    http_access allow password allowed_subnets

    Default block all to be sure

    http_access deny allsrc


    log from squid


    1483690613.492      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
    1483690619.387    13 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
    1483690694.408      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
    1483690699.760      5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
    1483690898.047    12 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
    1483690904.673      5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
    1483691091.631    19 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
    1483692872.978    72 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
    1483692928.361    27 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
    1483693827.151      0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html


  • Banned

    No, there was nothing changed in the pfSense package regarding LDAP.



  • Ty for the confirmation.. Can you sir help me to identify what is the problem with my configuration.. I dont know what could be wrong or where to look to cater this problem


  • Banned

    No idea. The authentication either works or does not. Perhaps try bumping the number of authentication processes



  • (SOLVED)

    Just find a remedy to my problem. Somehow the port 389 is not working with AD (mine is Windows Server 2012 - AD). so change it to 3286 and voila!! the mystery solved.  ;D ;D

    but still using the previous squid version the 389 is working, i still dont get why it is not working in the latest version. :-\ :-\ :-\

    Anyway credit to the solver.. ;) ;) ;)

    https://www.experts-exchange.com/questions/21449783/Problem-using-squid-ldap-auth-against-AD-domain.html

    TESTING!!!!

    389 is not working

    –---------------------------------------------------------------
    [2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:389
    aduser password
    basic_ldap_auth: WARNING, LDAP search error 'Operations error'
    ERR Operations error
    pfsense MYpassword11
    basic_ldap_auth: WARNING, LDAP search error 'Operations error'
    ERR Operations error
    ^C
    –------------------------------------------------------------------

    change to 3286


    [2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:3268
    aduser password
    OK
    pfsense MYpassword11
    ERR Success
    –-------------------------------------------------------------------


  • Banned

    As noted above, noone touched LDAP for ages in the pfSense package. If someone screwed things upstream, it needs to be fixed upstream.

    http://bugs.squid-cache.org/index.cgi

    Also, there shouldn't be any need to use a GC unless you cannot specify the search domain/OU.


Log in to reply