Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AD-LDAP Authentication Assistance

    Cache/Proxy
    2
    5
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikea
      last edited by

      Sorry but this is kicking me.

      I have read as much documentation that I can find on this forum and others. In theory it should be working (and I am sure I had it working in the past) but it is not currently. I am attempting to use AD LDAP authentication within Squid. We are forcing proxy settings via AD GPO. The authentication dialog box pops up allowing the entry of the name and password, but I get TCP_DENIED/407 errors and no destination IP. Occasionally it will show the user name but again no destination IP. If I add .com .org .gov etc to the whitelist then the web site reaches the target but without authenticating the user.

      In the System=>User Manager our AD is configured properly, groups are configured to match the AD groups and Diagnostics=>Authentication succeeds when submitting a user/password combination. I know I am missing something obvious but just can't put my finger on it. Any suggestions would be greatly appreciated. The groups and the users were not in the same OU but I have tested by moving the group to match. Still no joy.

      I have played with ext_ldap_group_acl but in testing, could not get that to work either.

      Here is my pfsense configured squid.conf file:

      http_port x.x.x.x:1080
      icp_port 0
      digest_generation off
      dns_v4_first on
      pid_filename /var/run/squid/squid.pid
      cache_effective_user squid
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/local/etc/squid/icons
      visible_hostname va32apfsense02
      cache_mgr citrixadmin@motorola.com
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      netdb_filename /var/squid/logs/netdb.state
      pinger_enable on
      pinger_program /usr/local/libexec/squid/pinger

      logfile_rotate 7
      debug_options rotate=7
      shutdown_lifetime 3 seconds
      forwarded_for on
      uri_whitespace allow
      dns_nameservers x.x.x.131 x.x.x.34
      acl dynamic urlpath_regex cgi-bin ?
      cache deny dynamic

      cache_mem 512 MB
      maximum_object_size_in_memory 256 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      minimum_object_size 0 KB
      maximum_object_size 4 MB
      cache_dir ufs /var/squid/cache 100 16 256
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      cache allow all

      Add any of your own refresh_pattern entries above these.

      refresh_pattern ^ftp:    1440  20%  10080
      refresh_pattern ^gopher:  1440  0%  1440
      refresh_pattern -i (/cgi-bin/|?) 0  0%  0
      refresh_pattern .    0  20%  4320
      #Remote proxies

      Setup some default acls

      ACLs all, manager, localhost, and to_localhost are predefined.

      acl allsrc src all
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  1080 3129 1025-65535
      acl sslports port 443 563

      acl purge method PURGE
      acl connect method CONNECT

      Define protocols used for redirects

      acl HTTP proto HTTP
      acl HTTPS proto HTTPS
      acl allowed_subnets src x.x.x.0/24
      acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
      http_access allow manager localhost

      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports

      Always allow localhost connections

      http_access allow localhost

      request_body_max_size 0 KB
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100

      Do not throttle unrestricted hosts

      delay_access 1 deny unrestricted_hosts
      delay_access 1 allow allsrc

      Reverse Proxy settings

      Custom options before auth

      auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b OU="North America",OU=World,D
      C=company,DC=domain,DC=com -D CN="PFSense",OU=WTS,OU="Infrastructure Services",DC=company,DC=domain,DC=com -w M0t0r0la -f "(&(cn=%s)(memberof=CN=GLO-CTX-PROXY,OU=Groups,OU=North America,OU=World,DC=company,DC=domain,DC=com))" -u cn -h x.x.x.4:3268
      auth_param basic children 5
      auth_param basic realm Please enter your credentials to access the proxy
      auth_param basic credentialsttl 5 minutes
      acl password proxy_auth REQUIRED

      Custom options after auth

      http_access allow password allowed_subnets
      http_access allow password unrestricted_hosts

      Default block all to be sure

      http_access deny allsrc

      1 Reply Last reply Reply Quote 0
      • S
        sichent Banned
        last edited by

        Try to enable authenticator debugging and see what is in squid's access.log (-d command line parameter if I am not mistaken)

        1 Reply Last reply Reply Quote 0
        • M
          mikea
          last edited by

          Sichent

          Thank you for your reply. I was able to check the basic_ldap_auth manually and it returned OK. (I moved all of the users and groups into the same OU and that seemed to fix the issue for testing.)  I modified the squid.inc file to create a conf with the same syntax but it still returns nothing. The appearance is that the browser is not providing the credential or the following are not working:

          auth_param basic program /usr/local/libexec/squid/basic_ldap_auth ….
          acl password proxy_auth REQUIRED
          http_access allow password  allowed_subnet

          Any thoughts are appreciated.

          Thanks

          1 Reply Last reply Reply Quote 0
          • S
            sichent Banned
            last edited by

            Should not there be something like:

            http_access deny !auth
            http_access allow auth
            http_access deny all

            1 Reply Last reply Reply Quote 0
            • M
              mikea
              last edited by

              Sichent

              Thanks for your assistance. I finally figured it out. Here is what worked in my environment:

              LDAP Version: 3
              LDAP Server
              User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com
              LDAP Username DN Attribute: samAccountName
              LDAP Search Filter: (sAMAccountName=%s)

              I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work.

              After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20.

              ldap://<ad fqdn="">:3268/DC=dsa,DC=<company>,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=<group>2%2cOU=<ou1>%2cOU=North**%20**America%2cOU=<ou3>%2cDC=dsa%2cDC=<company>%2cDC=com))

              Note in the above string the space between North America had to be converted.

              Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.