Problem with squid auth ldap against Active Directory
-
Hi,
I need help to troubleshooting.
With pfsense 2.2.6 works fine
( squid3 0.4.7 )with pfsense 2.3.x does not work.
( Now on 2.3.4 and squid 0.4.37 ,
but never worked after first upgrade to 2.3.0)Seems ( to me ) that the query is wrong,
seeking uid=%s instead samaccountname=%stcpdump shows
.. 11:15:37.210213 IP (tos 0x0, ttl 64, id 24727, offset 0, flags [DF], proto TCP (6), length 94) 10.11.1.130.11360 > 10.11.73.20.389: Flags [P.], cksum 0xa485 (correct), seq 1:43, ack 1, win 520, options [nop,nop,TS val 13152620 ecr 0], length 42 0x0000: 0015 5d03 0c00 901b 0e5e 8fdc 0800 4500 ..]......^....E. 0x0010: 005e 6097 4000 4006 7b57 0a0b 0182 0a0b .^`.@.@.{W...... 0x0020: 4914 2c60 0185 7186 65ac 2afb 4e6e 8018 I.,`..q.e.*.Nn.. 0x0030: 0208 a485 0000 0101 080a 00c8 b16c 0000 .............l.. 0x0040: 0000 3028 0201 0160 2302 0103 0412 7569 ..0(...`#.....ui <-------------------- 0x0050: 643d 3033 3639 352c 4443 3d61 736c 7663 d=03695,DC=aslvc <-------------------- 0x0060: 800a 7069 7070 6121 2121 2121 .. <clean text="" password!!!="" todo="" use="" ldaps="">11:15:37.211244 IP (tos 0x0, ttl 128, id 4558, offset 0, flags [DF], proto TCP (6), length 161) 10.11.73.20.389 > 10.11.1.130.11360: Flags [P.], cksum 0xd9a8 (correct), seq 1:110, ack 43, win 65493, options [nop,nop,TS val 35424023 ecr 13152620], length 109 0x0000: 901b 0e5e 8fdc 0015 5d03 0c00 0800 4500 ...^....].....E. 0x0010: 00a1 11ce 4000 8006 89dd 0a0b 4914 0a0b ....@.......I... 0x0020: 0182 0185 2c60 2afb 4e6e 7186 65d6 8018 ....,`*.Nnq.e... 0x0030: ffd5 d9a8 0000 0101 080a 021c 8717 00c8 ................ 0x0040: b16c 3084 0000 0067 0201 0161 8400 0000 .l0....g...a.... 0x0050: 5e0a 0131 0400 0457 3830 3039 3033 3038 ^..1...W80090308 0x0060: 3a20 4c64 6170 4572 723a 2044 5349 442d :.LdapErr:.DSID- 0x0070: 3043 3039 3033 3042 2c20 636f 6d6d 656e 0C09030B,.commen 0x0080: 743a 2041 6363 6570 7453 6563 7572 6974 t:.AcceptSecurit 0x0090: 7943 6f6e 7465 7874 2065 7272 6f72 2c20 yContext.error,. 0x00a0: 6461 7461 2035 3235 2c20 7638 3933 00 data.525,.v893.</clean>
but
ps aux | grep -i squid .... squid 32097 0.0 0.2 34820 6100 - I 11:35AM 0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth) .....
And if i try interactively it works
/usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 queryLDAP ERR Missing password 'queryLDAP' queryLDAP ****** OK 03695 ******* OK
For some reason squid do not use basic_ldap_auth ?!?
Where can I look for?
If worth, in Squid Cache Table i see:
04.07.2017 11:36:06 ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1 04.07.2017 11:35:39 Starting new basicauthenticator helpers... 04.07.2017 11:32:43 ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1 04.07.2017 11:32:37 pinger: Initialising ICMP pinger ...
but I do not think it is related.
Thanks.
-
Basic ldap connect to 127.0.0.1 instead 10.11.73.20 , but whi ?
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: ps aux | grep ldap squid 14596 0.0 0.2 34820 6116 - I 11:47AM 0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth) root 84543 0.0 0.1 18740 2248 1 S+ 11:50AM 0:00.00 grep ldap
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: sockstat | grep ldap squid basic_ldap 14596 0 stream -> ?? squid basic_ldap 14596 1 stream -> ?? squid basic_ldap 14596 3 tcp4 127.0.0.1:1674 127.0.0.1:389
[2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: pfctl -sa |grep 10.11.73.20 pass inet from (self) to 10.11.73.20 flags S/SA keep state label "USER_RULE: Prova per join a dominio" em0 udp 10.11.1.130:60149 -> 10.11.73.20:53 MULTIPLE:MULTIPLE em0 udp 10.11.1.130:53 <- 10.11.73.20:1110 MULTIPLE:MULTIPLE em0 udp 10.11.1.130:62229 -> 10.11.73.20:53 MULTIPLE:SINGLE
-
Now seems to work :-)
Changes:
-
Authentication Server from nearesd DC to DC with globalcatLDAP role
-
Authentication server port from standard (389) to 3268 (globalcatLDAP)
-
LDAP Server User DN from CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc to 'CN=queryLDAP,OU=Servizi,OU=Utenti di manutenzione,OU=Utenti del Dominio,DC=aslvc'
-
-
Thanks for sharing. It also worked to me.