Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with squid auth ldap against Active Directory

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rosco
      last edited by

      Hi,

      I need help to troubleshooting.

      With pfsense 2.2.6 works fine
      ( squid3 0.4.7 )

      with pfsense 2.3.x does not work.
      ( Now on 2.3.4 and squid 0.4.37 ,
      but never worked after first upgrade to 2.3.0)

      Seems ( to me ) that the query is wrong,
      seeking uid=%s instead samaccountname=%s

      tcpdump shows

                                        ..
      11:15:37.210213 IP (tos 0x0, ttl 64, id 24727, offset 0, flags [DF], proto TCP (6), length 94)
          10.11.1.130.11360 > 10.11.73.20.389: Flags [P.], cksum 0xa485 (correct), seq 1:43, ack 1, win 520, options [nop,nop,TS val 13152620 ecr 0], length 42
      	0x0000:  0015 5d03 0c00 901b 0e5e 8fdc 0800 4500  ..]......^....E.
      	0x0010:  005e 6097 4000 4006 7b57 0a0b 0182 0a0b  .^`.@.@.{W......
      	0x0020:  4914 2c60 0185 7186 65ac 2afb 4e6e 8018  I.,`..q.e.*.Nn..
      	0x0030:  0208 a485 0000 0101 080a 00c8 b16c 0000  .............l..
      	0x0040:  0000 3028 0201 0160 2302 0103 0412 7569  ..0(...`#.....ui  <--------------------
      	0x0050:  643d 3033 3639 352c 4443 3d61 736c 7663  d=03695,DC=aslvc  <--------------------
      	0x0060:  800a 7069 7070 6121 2121 2121            .. <clean text="" password!!!="" todo="" use="" ldaps="">11:15:37.211244 IP (tos 0x0, ttl 128, id 4558, offset 0, flags [DF], proto TCP (6), length 161)
          10.11.73.20.389 > 10.11.1.130.11360: Flags [P.], cksum 0xd9a8 (correct), seq 1:110, ack 43, win 65493, options [nop,nop,TS val 35424023 ecr 13152620], length 109
      	0x0000:  901b 0e5e 8fdc 0015 5d03 0c00 0800 4500  ...^....].....E.
      	0x0010:  00a1 11ce 4000 8006 89dd 0a0b 4914 0a0b  ....@.......I...
      	0x0020:  0182 0185 2c60 2afb 4e6e 7186 65d6 8018  ....,`*.Nnq.e...
      	0x0030:  ffd5 d9a8 0000 0101 080a 021c 8717 00c8  ................
      	0x0040:  b16c 3084 0000 0067 0201 0161 8400 0000  .l0....g...a....
      	0x0050:  5e0a 0131 0400 0457 3830 3039 3033 3038  ^..1...W80090308
      	0x0060:  3a20 4c64 6170 4572 723a 2044 5349 442d  :.LdapErr:.DSID-
      	0x0070:  3043 3039 3033 3042 2c20 636f 6d6d 656e  0C09030B,.commen
      	0x0080:  743a 2041 6363 6570 7453 6563 7572 6974  t:.AcceptSecurit
      	0x0090:  7943 6f6e 7465 7874 2065 7272 6f72 2c20  yContext.error,.
      	0x00a0:  6461 7461 2035 3235 2c20 7638 3933 00    data.525,.v893.</clean> 
      

      but

      
      ps aux | grep -i squid 
      ....
      squid  32097   0.0  0.2  34820   6100  -  I    11:35AM   0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
      .....
      
      

      And if i try interactively it works

      
      /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20
      
      queryLDAP
      ERR Missing password 'queryLDAP'
      queryLDAP ******
      OK
      03695 *******
      OK
      
      

      For some reason squid do not use basic_ldap_auth ?!?

      Where can I look for?

      If worth, in Squid Cache Table i see:

      
      04.07.2017 11:36:06 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
      04.07.2017 11:35:39 	Starting new basicauthenticator helpers...
      04.07.2017 11:32:43 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
      04.07.2017 11:32:37 	pinger: Initialising ICMP pinger ...
      
      

      but I do not think it is related.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • R
        rosco
        last edited by

        Basic ldap connect to  127.0.0.1 instead 10.11.73.20 , but whi ?

        
        [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: ps aux | grep ldap
        squid  14596   0.0  0.2  34820   6116  -  I    11:47AM    0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
        root   84543   0.0  0.1  18740   2248  1  S+   11:50AM    0:00.00 grep ldap
        
        
        
        [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: sockstat | grep ldap
        squid    basic_ldap 14596 0  stream -> ??
        squid    basic_ldap 14596 1  stream -> ??
        squid    basic_ldap 14596 3  tcp4   127.0.0.1:1674        127.0.0.1:389
        
        
        
        [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: pfctl -sa |grep 10.11.73.20
        pass inet from (self) to 10.11.73.20 flags S/SA keep state label "USER_RULE: Prova per join a dominio"
        em0 udp 10.11.1.130:60149 -> 10.11.73.20:53       MULTIPLE:MULTIPLE
        em0 udp 10.11.1.130:53 <- 10.11.73.20:1110       MULTIPLE:MULTIPLE
        em0 udp 10.11.1.130:62229 -> 10.11.73.20:53       MULTIPLE:SINGLE
        
        
        1 Reply Last reply Reply Quote 0
        • R
          rosco
          last edited by

          Now seems to work :-)

          Changes:

          • Authentication Server from nearesd DC to DC with globalcatLDAP role

          • Authentication server port from standard (389) to 3268 (globalcatLDAP)

          • LDAP Server User DN from  CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc  to 'CN=queryLDAP,OU=Servizi,OU=Utenti di manutenzione,OU=Utenti del Dominio,DC=aslvc'

          1 Reply Last reply Reply Quote 0
          • G
            GMarciales
            last edited by

            Thanks for sharing. It also worked to me.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.