SQUID 0.4.29_1 +LDAP. authentication problem
-
Im using the latest pfsense version 2.3.2-RELEASE-p1 (amd64) with the latest squid+squidguard release 0.4.29_1
i have configured with previous squid release+ LDAP authentication. and it work like charm before.decided to update to latest release and its running ok for several minutes. the AD authenticate the user and squidguard also working blacklisting the url. after several minutes, the authentication start to make a problem whereby it keep asking for the authentication and from the log the error 407 is prompted. which i believe it indicate the authentication problem. i didn't know whether some script/rules has been changed in the background that make the authentication is not working or there is a bug in the latest release for ldap authentication.. can some one guide me to cater these error.. i have tested with squidguard-=OFF. still the same, the browser keep asking the authentication
MY squid.conf
–--------------------------------------------------------------------------------------------------------------This file is automatically generated by pfSense
Do not edit manually !
http_port 192.168.0.130:3128
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@local
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pingerlogfile_rotate 30
debug_options rotate=30
shutdown_lifetime 3 seconds
forwarded_for on
httpd_suppress_version_string on
uri_whitespace stripacl dynamic urlpath_regex cgi-bin ?
cache deny dynamiccache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 1000 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow allAdd any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320#Remote proxies
Setup some default acls
From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 80 53 443 389 21
acl sslports port 443 563 443From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECTDefine protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.0.0/22
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportsAlways allow localhost connections
From 3.2 further configuration cleanups have been done to make things easier and safer.
The manager, localhost, and to_localhost ACL definitions are now built-in.
http_access allow localhost
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrcReverse Proxy settings
Custom options before auth
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f '(&(memberOf=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))' -u sAMAccountName -P 192.168.0.133:389
auth_param basic children 5
auth_param basic realm Please enter your Radius credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIREDCustom options after auth
http_access allow password allowed_subnets
Default block all to be sure
http_access deny allsrc
log from squid
1483690613.492 0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
1483690619.387 13 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483690694.408 0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html
1483690699.760 5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483690898.047 12 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483690904.673 5 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483691091.631 19 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483692872.978 72 192.168.1.198 TCP_DENIED/407 4155 CONNECT www.google.com:443 aduser HIER_NONE/- text/html
1483692928.361 27 192.168.1.198 TCP_DENIED/407 4163 CONNECT www.google.com:443 h.khairi HIER_NONE/- text/html
1483693827.151 0 192.168.1.198 TCP_DENIED/407 4053 CONNECT www.google.com:443 - HIER_NONE/- text/html -
No, there was nothing changed in the pfSense package regarding LDAP.
-
Ty for the confirmation.. Can you sir help me to identify what is the problem with my configuration.. I dont know what could be wrong or where to look to cater this problem
-
No idea. The authentication either works or does not. Perhaps try bumping the number of authentication processes
-
(SOLVED)
Just find a remedy to my problem. Somehow the port 389 is not working with AD (mine is Windows Server 2012 - AD). so change it to 3286 and voila!! the mystery solved. ;D ;D
but still using the previous squid version the 389 is working, i still dont get why it is not working in the latest version. :-\ :-\ :-\
Anyway credit to the solver.. ;) ;) ;)
https://www.experts-exchange.com/questions/21449783/Problem-using-squid-ldap-auth-against-AD-domain.html
TESTING!!!!
389 is not working
–---------------------------------------------------------------
[2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:389
aduser password
basic_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Operations error
pfsense MYpassword11
basic_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Operations error
^C
–------------------------------------------------------------------change to 3286
[2.3.2-RELEASE][root@proxyent.mydomain.int]/root: /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=mydomain,DC=int -D CN=pfsense,OU=ITADMIN,DC=mydomain,DC=int -w MYpassword11 -f "(&(memberof=CN=proxyusers,OU=ITADMIN,DC=mydomain,DC=int)(sAMAccountName=%s))" -u sAMAccountName -P 192.168.0.133:3268
aduser password
OK
pfsense MYpassword11
ERR Success
–------------------------------------------------------------------- -
As noted above, noone touched LDAP for ages in the pfSense package. If someone screwed things upstream, it needs to be fixed upstream.
http://bugs.squid-cache.org/index.cgi
Also, there shouldn't be any need to use a GC unless you cannot specify the search domain/OU.