3. Problem with squid auth ldap against Active Directory

Problem with squid auth ldap against Active Directory

  • R

    Hi,

    I need help to troubleshooting.

    With pfsense 2.2.6 works fine
    ( squid3 0.4.7 )

    with pfsense 2.3.x does not work.
    ( Now on 2.3.4 and squid 0.4.37 ,
    but never worked after first upgrade to 2.3.0)

    Seems ( to me ) that the query is wrong,
    seeking uid=%s instead samaccountname=%s

    tcpdump shows

                                      ..
11:15:37.210213 IP (tos 0x0, ttl 64, id 24727, offset 0, flags [DF], proto TCP (6), length 94)
    10.11.1.130.11360 > 10.11.73.20.389: Flags [P.], cksum 0xa485 (correct), seq 1:43, ack 1, win 520, options [nop,nop,TS val 13152620 ecr 0], length 42
	0x0000:  0015 5d03 0c00 901b 0e5e 8fdc 0800 4500  ..]......^....E.
	0x0010:  005e 6097 4000 4006 7b57 0a0b 0182 0a0b  .^`.@.@.{W......
	0x0020:  4914 2c60 0185 7186 65ac 2afb 4e6e 8018  I.,`..q.e.*.Nn..
	0x0030:  0208 a485 0000 0101 080a 00c8 b16c 0000  .............l..
	0x0040:  0000 3028 0201 0160 2302 0103 0412 7569  ..0(...`#.....ui  <--------------------
	0x0050:  643d 3033 3639 352c 4443 3d61 736c 7663  d=03695,DC=aslvc  <--------------------
	0x0060:  800a 7069 7070 6121 2121 2121            .. <clean text="" password!!!="" todo="" use="" ldaps="">11:15:37.211244 IP (tos 0x0, ttl 128, id 4558, offset 0, flags [DF], proto TCP (6), length 161)
    10.11.73.20.389 > 10.11.1.130.11360: Flags [P.], cksum 0xd9a8 (correct), seq 1:110, ack 43, win 65493, options [nop,nop,TS val 35424023 ecr 13152620], length 109
	0x0000:  901b 0e5e 8fdc 0015 5d03 0c00 0800 4500  ...^....].....E.
	0x0010:  00a1 11ce 4000 8006 89dd 0a0b 4914 0a0b  ....@.......I...
	0x0020:  0182 0185 2c60 2afb 4e6e 7186 65d6 8018  ....,`*.Nnq.e...
	0x0030:  ffd5 d9a8 0000 0101 080a 021c 8717 00c8  ................
	0x0040:  b16c 3084 0000 0067 0201 0161 8400 0000  .l0....g...a....
	0x0050:  5e0a 0131 0400 0457 3830 3039 3033 3038  ^..1...W80090308
	0x0060:  3a20 4c64 6170 4572 723a 2044 5349 442d  :.LdapErr:.DSID-
	0x0070:  3043 3039 3033 3042 2c20 636f 6d6d 656e  0C09030B,.commen
	0x0080:  743a 2041 6363 6570 7453 6563 7572 6974  t:.AcceptSecurit
	0x0090:  7943 6f6e 7465 7874 2065 7272 6f72 2c20  yContext.error,.
	0x00a0:  6461 7461 2035 3235 2c20 7638 3933 00    data.525,.v893.</clean>

    but

    
ps aux | grep -i squid 
....
squid  32097   0.0  0.2  34820   6100  -  I    11:35AM   0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
.....

    And if i try interactively it works

    
/usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20

queryLDAP
ERR Missing password 'queryLDAP'
queryLDAP ******
OK
03695 *******
OK

    For some reason squid do not use basic_ldap_auth ?!?

    Where can I look for?

    If worth, in Squid Cache Table i see:

    
04.07.2017 11:36:06 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
04.07.2017 11:35:39 	Starting new basicauthenticator helpers...
04.07.2017 11:32:43 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
04.07.2017 11:32:37 	pinger: Initialising ICMP pinger ...

    but I do not think it is related.

    Thanks.

    0
  • R

    Basic ldap connect to  127.0.0.1 instead 10.11.73.20 , but whi ?

    
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: ps aux | grep ldap
squid  14596   0.0  0.2  34820   6116  -  I    11:47AM    0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
root   84543   0.0  0.1  18740   2248  1  S+   11:50AM    0:00.00 grep ldap


    
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: sockstat | grep ldap
squid    basic_ldap 14596 0  stream -> ??
squid    basic_ldap 14596 1  stream -> ??
squid    basic_ldap 14596 3  tcp4   127.0.0.1:1674        127.0.0.1:389


    
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: pfctl -sa |grep 10.11.73.20
pass inet from (self) to 10.11.73.20 flags S/SA keep state label "USER_RULE: Prova per join a dominio"
em0 udp 10.11.1.130:60149 -> 10.11.73.20:53       MULTIPLE:MULTIPLE
em0 udp 10.11.1.130:53 <- 10.11.73.20:1110       MULTIPLE:MULTIPLE
em0 udp 10.11.1.130:62229 -> 10.11.73.20:53       MULTIPLE:SINGLE
    0
  • R

    Now seems to work :-)

    Changes:

    • Authentication Server from nearesd DC to DC with globalcatLDAP role

    • Authentication server port from standard (389) to 3268 (globalcatLDAP)

    • LDAP Server User DN from  CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc  to 'CN=queryLDAP,OU=Servizi,OU=Utenti di manutenzione,OU=Utenti del Dominio,DC=aslvc'

    0
  • G

    Thanks for sharing. It also worked to me.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy