Problem with squid auth ldap against Active Directory



  • Hi,

    I need help to troubleshooting.

    With pfsense 2.2.6 works fine
    ( squid3 0.4.7 )

    with pfsense 2.3.x does not work.
    ( Now on 2.3.4 and squid 0.4.37 ,
    but never worked after first upgrade to 2.3.0)

    Seems ( to me ) that the query is wrong,
    seeking uid=%s instead samaccountname=%s

    tcpdump shows

                                      ..
    11:15:37.210213 IP (tos 0x0, ttl 64, id 24727, offset 0, flags [DF], proto TCP (6), length 94)
        10.11.1.130.11360 > 10.11.73.20.389: Flags [P.], cksum 0xa485 (correct), seq 1:43, ack 1, win 520, options [nop,nop,TS val 13152620 ecr 0], length 42
    	0x0000:  0015 5d03 0c00 901b 0e5e 8fdc 0800 4500  ..]......^....E.
    	0x0010:  005e 6097 4000 4006 7b57 0a0b 0182 0a0b  .^`.@.@.{W......
    	0x0020:  4914 2c60 0185 7186 65ac 2afb 4e6e 8018  I.,`..q.e.*.Nn..
    	0x0030:  0208 a485 0000 0101 080a 00c8 b16c 0000  .............l..
    	0x0040:  0000 3028 0201 0160 2302 0103 0412 7569  ..0(...`#.....ui  <--------------------
    	0x0050:  643d 3033 3639 352c 4443 3d61 736c 7663  d=03695,DC=aslvc  <--------------------
    	0x0060:  800a 7069 7070 6121 2121 2121            .. <clean text="" password!!!="" todo="" use="" ldaps="">11:15:37.211244 IP (tos 0x0, ttl 128, id 4558, offset 0, flags [DF], proto TCP (6), length 161)
        10.11.73.20.389 > 10.11.1.130.11360: Flags [P.], cksum 0xd9a8 (correct), seq 1:110, ack 43, win 65493, options [nop,nop,TS val 35424023 ecr 13152620], length 109
    	0x0000:  901b 0e5e 8fdc 0015 5d03 0c00 0800 4500  ...^....].....E.
    	0x0010:  00a1 11ce 4000 8006 89dd 0a0b 4914 0a0b  ....@.......I...
    	0x0020:  0182 0185 2c60 2afb 4e6e 7186 65d6 8018  ....,`*.Nnq.e...
    	0x0030:  ffd5 d9a8 0000 0101 080a 021c 8717 00c8  ................
    	0x0040:  b16c 3084 0000 0067 0201 0161 8400 0000  .l0....g...a....
    	0x0050:  5e0a 0131 0400 0457 3830 3039 3033 3038  ^..1...W80090308
    	0x0060:  3a20 4c64 6170 4572 723a 2044 5349 442d  :.LdapErr:.DSID-
    	0x0070:  3043 3039 3033 3042 2c20 636f 6d6d 656e  0C09030B,.commen
    	0x0080:  743a 2041 6363 6570 7453 6563 7572 6974  t:.AcceptSecurit
    	0x0090:  7943 6f6e 7465 7874 2065 7272 6f72 2c20  yContext.error,.
    	0x00a0:  6461 7461 2035 3235 2c20 7638 3933 00    data.525,.v893.</clean> 
    

    but

    
    ps aux | grep -i squid 
    ....
    squid  32097   0.0  0.2  34820   6100  -  I    11:35AM   0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
    .....
    
    

    And if i try interactively it works

    
    /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20
    
    queryLDAP
    ERR Missing password 'queryLDAP'
    queryLDAP ******
    OK
    03695 *******
    OK
    
    

    For some reason squid do not use basic_ldap_auth ?!?

    Where can I look for?

    If worth, in Squid Cache Table i see:

    
    04.07.2017 11:36:06 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
    04.07.2017 11:35:39 	Starting new basicauthenticator helpers...
    04.07.2017 11:32:43 	ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1
    04.07.2017 11:32:37 	pinger: Initialising ICMP pinger ...
    
    

    but I do not think it is related.

    Thanks.



  • Basic ldap connect to  127.0.0.1 instead 10.11.73.20 , but whi ?

    
    [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: ps aux | grep ldap
    squid  14596   0.0  0.2  34820   6116  -  I    11:47AM    0:00.01 (basic_ldap_auth) -v 3 -b DC=aslvc -D CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc -w ****** -f sAMAccountName=%s -u distinguishedName -P 10.11.73.20 (basic_ldap_auth)
    root   84543   0.0  0.1  18740   2248  1  S+   11:50AM    0:00.00 grep ldap
    
    
    
    [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: sockstat | grep ldap
    squid    basic_ldap 14596 0  stream -> ??
    squid    basic_ldap 14596 1  stream -> ??
    squid    basic_ldap 14596 3  tcp4   127.0.0.1:1674        127.0.0.1:389
    
    
    
    [2.3.4-RELEASE][root@val-pc-1664.aslvc]/root: pfctl -sa |grep 10.11.73.20
    pass inet from (self) to 10.11.73.20 flags S/SA keep state label "USER_RULE: Prova per join a dominio"
    em0 udp 10.11.1.130:60149 -> 10.11.73.20:53       MULTIPLE:MULTIPLE
    em0 udp 10.11.1.130:53 <- 10.11.73.20:1110       MULTIPLE:MULTIPLE
    em0 udp 10.11.1.130:62229 -> 10.11.73.20:53       MULTIPLE:SINGLE
    
    


  • Now seems to work :-)

    Changes:

    • Authentication Server from nearesd DC to DC with globalcatLDAP role

    • Authentication server port from standard (389) to 3268 (globalcatLDAP)

    • LDAP Server User DN from  CN=queryLDAP,OU=Servizi,OU='Utenti di manutenzione',OU='Utenti del Dominio',DC=aslvc  to 'CN=queryLDAP,OU=Servizi,OU=Utenti di manutenzione,OU=Utenti del Dominio,DC=aslvc'



  • Thanks for sharing. It also worked to me.