LDAP authentication does not work on port 636



  • Hello!

    I configured LDAP authentication through port 636, but it did not work.
    On the LDAP server the message is "TLS negotiation failure"

    So I did some testing with "/usr/local/libexec/squid/basic_ldap_auth" and saw that if I use the "-p" parameter or separate the authentication server address from the port, authentication works.

    Does not work (from squid.conf)

    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local:636
    

    Works!

    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local -p 636
    

    OR

    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local 636
    

    Since it is not recommended to make the changes directly in squid.conf, can anyone give a hint how to solve this problem?


  • LAYER 8 Netgate

    I would guess there is logic in basic_ldap_auth that says a hostname:636 is treated as TLS and hostname -p 636 is just a manual port on a regular connection.

    Traditionally, port 389 is unencrypted and a connection to 636 expects immediate TLS negotiation. If you are running on port 636 without proper TLS set up I would expect you would have problems.

    Modern directories should just listen on 389 and use STARTTLS to negotiate encryption.

    Similar information that I found here:

    http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ldap-ssl-Secure-authentication-td1043303.html



  • Hi Derelict,

    Thanks for your help.

    I did some tests based on what you said and on the link information.

    It works with ldaps:// before de address, it means that the conenctions is encrypted and the directory is set correctly, is that right?
    We use OpenLDAP (openldap-ltb-2.4).

    Is there anything else i can test?

    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636
    
    

  • LAYER 8 Netgate

    What are your actual settings in squid?



  • Hi,
    Follows attached.

    squid.conf.txt


  • LAYER 8 Netgate

    No. The configuration in the GUI.



  • Hi,
    Follows ss from Proxy Server General and Authentication.






  • Hi,
    I put the ldaps:// in the command below, tested and it worked, as mentioned above …

    ./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636
    

    But when I make the change in squid.conf and run "squid -k reconfigure", the authentication fails.
    I added the CA certificate through Cert. Manager, what could be wrong?


Log in to reply