Does Squid support 2020 LDAP channel binding ?
-
Squid itself seems support SSL/TLS adjustments by passing -ZZ argument.
Is it possible add such option into pfsense GUI ? -
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
Squid itself seems support SSL/TLS adjustments by passing -ZZ argument.
Is it possible add such option into pfsense GUI ?Why are you using double Z (-ZZ) ?
package upgrade in progress
-
@viktor_g That should enable SSL/TLS secure channel authentication, or I'm wrong ?
-
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
@viktor_g That should enable SSL/TLS secure channel authentication, or I'm wrong ?
Yes, but only single -Z
http://www.squid-cache.org/Versions/v3/3.2/manuals/basic_ldap_auth.html:−Z Use TLS encryptionin the next update of Squid pkg:
https://redmine.pfsense.org/issues/9982 -
@viktor_g Its some missmatch in manuals, here they mention ZZ: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
Also they mention to upload SSL certs into /etc/openldap/cacerts , how to do that ? Or not needed ? -
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
@viktor_g Its some missmatch in manuals, here they mention ZZ: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
single -Z, you can check command help by running:
/usr/local/libexec/squid/basic_ldap_authAlso they mention to upload SSL certs into /etc/openldap/cacerts , how to do that ? Or not needed ?
Thanks, in process,,. -
@CZvacko
See https://redmine.pfsense.org/issues/9982 -
Hello, what about SquidGuard ? I use it to block some pages for all users, and by-pass such block for some users from AD group. It will probably face same issue, but development of SquidGuard seems to stop
Any replacement for it ? Diladele, ufdbGuard - they seems to not possible integrate into Netgate. -
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
Hello, what about SquidGuard ? I use it to block some pages for all users, and by-pass such block for some users from AD group. It will probably face same issue
Nice idea,
I'll check it -
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
Hello, what about SquidGuard ? I use it to block some pages for all users, and by-pass such block for some users from AD group. It will probably face same issue, but development of SquidGuard seems to stop
Unfortunately, squidGuard does not support SSL / TLS:
https://fossies.org/linux/www/squidGuard-1.5-beta.tar.gz/squidGuard-1.5-beta/CHANGELOG -
Hi, I upgraded pfsense to 2.4.5, then patched squid.inc to PORTREVISION=16 and later to PORTREVISION=17 but have issue to use "SSL-Encypted" transport, while "TCP-standard" works normally. Here is what I did:
- switch Authentication Server from IP to FQDN of LDAP server (to match certificates)
- set Authentication server port to 636
- set Transport to SSL-Encypted
- added certificates at the end of /usr/local/share/certs/ca-root-nss.crt
- reboot
But user still cannot be verified by LDAP server (webbrowser still asking for credentials)
Debug I did:
a) command openssl s_client -connect ldap.our.company:636 finish as Verify return code: 0 (ok)
b) packet capture of LDAP IP show some cummunication (port opened ok on LDAP server)
c) /var/squid/logs/cache.log shows: basic_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' - this indicate some issue.Also, colleague mentioned stripntdomain should be false - in log is true, not sure about it.
What to do now ? -
@CZvacko
Did it work on 2.4.4-p3?
Have you checked this in the lastest 2.5 snapshot?default OpenSSL trust store is '/etc/ssl/certs'
filenames must use <HASH>.0 file format, i.e.:
'/etc/ssl/certs/7fea9b91.0'to get hash value:
'openssl x509 -hash -noout -in mycacert.crt' -
In 2.4.4-p3 there was not such functionality in Squid, its new feature.
Didn't tried in 2.5, using stable branch only.Tried to copy certificates base on your instructions, but issue persist.
Debug d) LDAP server owner (running in different place) show me AD log which says:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection could not be established with a client.
Error value: 2148074289 The client and server cannot communicate, because they do not possess a common algorithm. -
@CZvacko can you check this: https://forum.netgate.com/topic/145578/ldaps-ad-bind/18 ?
The command isn't correct, you cannot use -h host -p 636, as simply selecting a different port won't make ldapsearch use SSL, I know, its silly, but you really need to use -H "ldaps://host:636".if -H "ldaps://host:636" works OK, I'll create fix
-
That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?
I can try what you mention, but what command I should run ?
-
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
That post seems to be related about authenticating pfsense "admin user" against LDAP. But proxy/squid should have own routine to authenticate "proxy user" against LDAP. Or am I wrong?
I can try what you mention, but what command I should run ?
Open /usr/local/etc/squid/squid.conf in a text editor,
remove server option (like'192.168.1.4:636'),
and add ldap URI option (like-H 'ldaps://192.168.1.4:636')then restart squid service:
service squid.sh restart
and check authentication -
Hi, now it seems to be ok.
-
@CZvacko said in Does Squid support 2020 LDAP channel binding ?:
Hi, now it seems to be ok.
Successfully?
I'll create squid package fix -
Successfully tested,
https://redmine.pfsense.org/issues/10422Soon in the new version of Squid package
-
Concerning Squidquard, when LDAP channel binding become forced by AD server, I will probably have to abandon it. But I just got some idea:
Is it possible to use some kind of "mixed authentication" like Squid user Authenticated by LDAP but Squidquard user list will be defined as string in Group ACL > "Client (source)" ? [currently I have there Ldap search expression]
Because in log of both Squid and Squidquard I can see simple user_name, if pfsense "pair" this usernames internally just by string, then mixed mode can work ??