AD-LDAP Authentication Assistance



  • Sorry but this is kicking me.

    I have read as much documentation that I can find on this forum and others. In theory it should be working (and I am sure I had it working in the past) but it is not currently. I am attempting to use AD LDAP authentication within Squid. We are forcing proxy settings via AD GPO. The authentication dialog box pops up allowing the entry of the name and password, but I get TCP_DENIED/407 errors and no destination IP. Occasionally it will show the user name but again no destination IP. If I add .com .org .gov etc to the whitelist then the web site reaches the target but without authenticating the user.

    In the System=>User Manager our AD is configured properly, groups are configured to match the AD groups and Diagnostics=>Authentication succeeds when submitting a user/password combination. I know I am missing something obvious but just can't put my finger on it. Any suggestions would be greatly appreciated. The groups and the users were not in the same OU but I have tested by moving the group to match. Still no joy.

    I have played with ext_ldap_group_acl but in testing, could not get that to work either.

    Here is my pfsense configured squid.conf file:

    http_port x.x.x.x:1080
    icp_port 0
    digest_generation off
    dns_v4_first on
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname va32apfsense02
    cache_mgr citrixadmin@motorola.com
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger

    logfile_rotate 7
    debug_options rotate=7
    shutdown_lifetime 3 seconds
    forwarded_for on
    uri_whitespace allow
    dns_nameservers x.x.x.131 x.x.x.34
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic

    cache_mem 512 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    cache_dir ufs /var/squid/cache 100 16 256
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all

    Add any of your own refresh_pattern entries above these.

    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    refresh_pattern .    0  20%  4320
    #Remote proxies

    Setup some default acls

    ACLs all, manager, localhost, and to_localhost are predefined.

    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  1080 3129 1025-65535
    acl sslports port 443 563

    acl purge method PURGE
    acl connect method CONNECT

    Define protocols used for redirects

    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src x.x.x.0/24
    acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100

    Do not throttle unrestricted hosts

    delay_access 1 deny unrestricted_hosts
    delay_access 1 allow allsrc

    Reverse Proxy settings

    Custom options before auth

    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b OU="North America",OU=World,D
    C=company,DC=domain,DC=com -D CN="PFSense",OU=WTS,OU="Infrastructure Services",DC=company,DC=domain,DC=com -w M0t0r0la -f "(&(cn=%s)(memberof=CN=GLO-CTX-PROXY,OU=Groups,OU=North America,OU=World,DC=company,DC=domain,DC=com))" -u cn -h x.x.x.4:3268
    auth_param basic children 5
    auth_param basic realm Please enter your credentials to access the proxy
    auth_param basic credentialsttl 5 minutes
    acl password proxy_auth REQUIRED

    Custom options after auth

    http_access allow password allowed_subnets
    http_access allow password unrestricted_hosts

    Default block all to be sure

    http_access deny allsrc


  • Banned

    Try to enable authenticator debugging and see what is in squid's access.log (-d command line parameter if I am not mistaken)



  • Sichent

    Thank you for your reply. I was able to check the basic_ldap_auth manually and it returned OK. (I moved all of the users and groups into the same OU and that seemed to fix the issue for testing.)  I modified the squid.inc file to create a conf with the same syntax but it still returns nothing. The appearance is that the browser is not providing the credential or the following are not working:

    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth ….
    acl password proxy_auth REQUIRED
    http_access allow password  allowed_subnet

    Any thoughts are appreciated.

    Thanks


  • Banned

    Should not there be something like:

    http_access deny !auth
    http_access allow auth
    http_access deny all



  • Sichent

    Thanks for your assistance. I finally figured it out. Here is what worked in my environment:

    LDAP Version: 3
    LDAP Server
    User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com
    LDAP Username DN Attribute: samAccountName
    LDAP Search Filter: (sAMAccountName=%s)

    I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work.

    After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20.

    ldap://<ad fqdn="">:3268/DC=dsa,DC=<company>,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=<group>2%2cOU=<ou1>%2cOU=North**%20**America%2cOU=<ou3>%2cDC=dsa%2cDC=<company>%2cDC=com))

    Note in the above string the space between North America had to be converted.

    Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>