LDAP authentication does not work on port 636

playerum · Aug 9, 2017, 6:45 PM

Hello!

I configured LDAP authentication through port 636, but it did not work.
On the LDAP server the message is "TLS negotiation failure"

So I did some testing with "/usr/local/libexec/squid/basic_ldap_auth" and saw that if I use the "-p" parameter or separate the authentication server address from the port, authentication works.

Does not work (from squid.conf)

./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local:636

Works!

./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local -p 636

OR

./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldap.company.local 636

Since it is not recommended to make the changes directly in squid.conf, can anyone give a hint how to solve this problem?

Derelict · Aug 9, 2017, 11:16 PM

I would guess there is logic in basic_ldap_auth that says a hostname:636 is treated as TLS and hostname -p 636 is just a manual port on a regular connection.

Traditionally, port 389 is unencrypted and a connection to 636 expects immediate TLS negotiation. If you are running on port 636 without proper TLS set up I would expect you would have problems.

Modern directories should just listen on 389 and use STARTTLS to negotiate encryption.

Similar information that I found here:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ldap-ssl-Secure-authentication-td1043303.html

playerum · Aug 10, 2017, 2:15 PM

Hi Derelict,

Thanks for your help.

I did some tests based on what you said and on the link information.

It works with ldaps:// before de address, it means that the conenctions is encrypted and the directory is set correctly, is that right?
We use OpenLDAP (openldap-ltb-2.4).

Is there anything else i can test?

./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636

Derelict · Aug 10, 2017, 3:42 PM

What are your actual settings in squid?

playerum · Aug 10, 2017, 5:40 PM

Hi,
Follows attached.

squid.conf.txt

Derelict · Aug 10, 2017, 6:37 PM

No. The configuration in the GUI.

playerum · Aug 10, 2017, 7:07 PM

Hi,
Follows ss from Proxy Server General and Authentication.

playerum · Aug 15, 2017, 11:16 AM

Hi,
I put the ldaps:// in the command below, tested and it worked, as mentioned above …

./basic_ldap_auth -v 2 -b ou=users,dc=company,dc=local -D cn=admin,dc=company,dc=local -w XXXXXXXX -f "uid=%s" -u ou=users,dc=company,dc=local -P ldaps://ldap.company.local:636

But when I make the change in squid.conf and run "squid -k reconfigure", the authentication fails.
I added the CA certificate through Cert. Manager, what could be wrong?