AD-LDAP Authentication Assistance
Sorry but this is kicking me.
I have read as much documentation that I can find on this forum and others. In theory it should be working (and I am sure I had it working in the past) but it is not currently. I am attempting to use AD LDAP authentication within Squid. We are forcing proxy settings via AD GPO. The authentication dialog box pops up allowing the entry of the name and password, but I get TCP_DENIED/407 errors and no destination IP. Occasionally it will show the user name but again no destination IP. If I add .com .org .gov etc to the whitelist then the web site reaches the target but without authenticating the user.
In the System=>User Manager our AD is configured properly, groups are configured to match the AD groups and Diagnostics=>Authentication succeeds when submitting a user/password combination. I know I am missing something obvious but just can't put my finger on it. Any suggestions would be greatly appreciated. The groups and the users were not in the same OU but I have tested by moving the group to match. Still no joy.
I have played with ext_ldap_group_acl but in testing, could not get that to work either.
Here is my pfsense configured squid.conf file:
shutdown_lifetime 3 seconds
dns_nameservers x.x.x.131 x.x.x.34
acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic
cache_mem 512 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
cache allow all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1080 3129 1025-65535
acl sslports port 443 563
acl purge method PURGE
acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src x.x.x.0/24
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
request_body_max_size 0 KB
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 deny unrestricted_hosts
delay_access 1 allow allsrc
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b OU="North America",OU=World,D
C=company,DC=domain,DC=com -D CN="PFSense",OU=WTS,OU="Infrastructure Services",DC=company,DC=domain,DC=com -w M0t0r0la -f "(&(cn=%s)(memberof=CN=GLO-CTX-PROXY,OU=Groups,OU=North America,OU=World,DC=company,DC=domain,DC=com))" -u cn -h x.x.x.4:3268
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED
http_access allow password allowed_subnets
http_access allow password unrestricted_hosts
http_access deny allsrc
Try to enable authenticator debugging and see what is in squid's access.log (-d command line parameter if I am not mistaken)
Thank you for your reply. I was able to check the basic_ldap_auth manually and it returned OK. (I moved all of the users and groups into the same OU and that seemed to fix the issue for testing.) I modified the squid.inc file to create a conf with the same syntax but it still returns nothing. The appearance is that the browser is not providing the credential or the following are not working:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth ….
acl password proxy_auth REQUIRED
http_access allow password allowed_subnet
Any thoughts are appreciated.
Should not there be something like:
http_access deny !auth
http_access allow auth
http_access deny all
Thanks for your assistance. I finally figured it out. Here is what worked in my environment:
LDAP Version: 3
User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com
LDAP Username DN Attribute: samAccountName
LDAP Search Filter: (sAMAccountName=%s)
I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work.
After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20.
Note in the above string the space between North America had to be converted.
Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>