AD-LDAP Authentication Assistance
-
Sorry but this is kicking me.
I have read as much documentation that I can find on this forum and others. In theory it should be working (and I am sure I had it working in the past) but it is not currently. I am attempting to use AD LDAP authentication within Squid. We are forcing proxy settings via AD GPO. The authentication dialog box pops up allowing the entry of the name and password, but I get TCP_DENIED/407 errors and no destination IP. Occasionally it will show the user name but again no destination IP. If I add .com .org .gov etc to the whitelist then the web site reaches the target but without authenticating the user.
In the System=>User Manager our AD is configured properly, groups are configured to match the AD groups and Diagnostics=>Authentication succeeds when submitting a user/password combination. I know I am missing something obvious but just can't put my finger on it. Any suggestions would be greatly appreciated. The groups and the users were not in the same OU but I have tested by moving the group to match. Still no joy.
I have played with ext_ldap_group_acl but in testing, could not get that to work either.
Here is my pfsense configured squid.conf file:
http_port x.x.x.x:1080
icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname va32apfsense02
cache_mgr citrixadmin@motorola.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pingerlogfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds
forwarded_for on
uri_whitespace allow
dns_nameservers x.x.x.131 x.x.x.34
acl dynamic urlpath_regex cgi-bin ?
cache deny dynamiccache_mem 512 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow allAdd any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
#Remote proxiesSetup some default acls
ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1080 3129 1025-65535
acl sslports port 443 563acl purge method PURGE
acl connect method CONNECTDefine protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src x.x.x.0/24
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportsAlways allow localhost connections
http_access allow localhost
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100Do not throttle unrestricted hosts
delay_access 1 deny unrestricted_hosts
delay_access 1 allow allsrcReverse Proxy settings
Custom options before auth
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b OU="North America",OU=World,D
C=company,DC=domain,DC=com -D CN="PFSense",OU=WTS,OU="Infrastructure Services",DC=company,DC=domain,DC=com -w M0t0r0la -f "(&(cn=%s)(memberof=CN=GLO-CTX-PROXY,OU=Groups,OU=North America,OU=World,DC=company,DC=domain,DC=com))" -u cn -h x.x.x.4:3268
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIREDCustom options after auth
http_access allow password allowed_subnets
http_access allow password unrestricted_hostsDefault block all to be sure
http_access deny allsrc
-
Try to enable authenticator debugging and see what is in squid's access.log (-d command line parameter if I am not mistaken)
-
Sichent
Thank you for your reply. I was able to check the basic_ldap_auth manually and it returned OK. (I moved all of the users and groups into the same OU and that seemed to fix the issue for testing.) I modified the squid.inc file to create a conf with the same syntax but it still returns nothing. The appearance is that the browser is not providing the credential or the following are not working:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth ….
acl password proxy_auth REQUIRED
http_access allow password allowed_subnetAny thoughts are appreciated.
Thanks
-
Should not there be something like:
http_access deny !auth
http_access allow auth
http_access deny all -
Sichent
Thanks for your assistance. I finally figured it out. Here is what worked in my environment:
LDAP Version: 3
LDAP Server
User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com
LDAP Username DN Attribute: samAccountName
LDAP Search Filter: (sAMAccountName=%s)I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work.
After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20.
ldap://<ad fqdn="">:3268/DC=dsa,DC=<company>,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=<group>2%2cOU=<ou1>%2cOU=North**%20**America%2cOU=<ou3>%2cDC=dsa%2cDC=<company>%2cDC=com))
Note in the above string the space between North America had to be converted.
Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>