Squid and LDAP Authentication

nitsuj · Sep 28, 2011, 7:52 AM

I am buildiing a new firewall with pfsense and squid. All was looking good until I could not get squid to authiticate via LDAP to my AD server.

I have pfsense 2.0
and the latest stable squid package installed.

I am able to use local authentication but not LDAP.

I have the following in the Squid Auth LDAP config:

Authentication method - LDAP
LDAP version - 3
Authentication server - (windows server IP address)
LDAP server user DN - cn=administrator,cn=Users,dc=yourdomain,dc=co,dc=za
LDAP password - (your password for the administrator account)
LDAP base domain - dc=yourdomain,dc=co,dc=za
LDAP search filter - sAMAccountName=%s

The server is a Windows 2003 SP2

I have other apps like openvpn authenticating to this server and I can also use a LDAP browser to connect to this server.

The squid log file shows an error for each failed login attempt:

unable to connect to server "server ip"

I can ping the windows server from pfsence.

Any ideas? Thanks

kaugustyn · Sep 28, 2011, 11:04 AM

Hi

Have you chcecked your traffic rules ? Did you allow trafic from Pfsense box to AD serwer on LDAP port (389 as I can remember) ?
First try to checkout above, then will see.
Regards

nitsuj · Sep 28, 2011, 6:49 PM

Under firewall rules, there is a rule that I guess allows anything on the lan side.

The description reads "Default allow LAN to any rule"

My AD server is on the LAN side so I dont know why I need a rule.

I still added to firewall->rules on both LAN and WAN to allow everything and I still get the error below:

This error is from the /var/squid/logs cache.log

Unable to connect to LDAP server:192.168.10.218: port:389
2011/09/28 18:19:13| WARNING: basicauthenticator #4 (FD 15) exited

Thanks

kaugustyn · Sep 30, 2011, 5:24 AM

It seems you have the same error as I do. For me, after quick tests with tcpdump and /usr/libexec/squid/squid_ldap_auth there is something wrong with helper. I do not have any errors in any log or console, but cmd to test connection to AD server did not generate ANY traffic.

I think it is up to package developer to look at it closer

nitsuj · Sep 30, 2011, 11:43 PM

Ok I finally have this working. :)

The following works for a windows 2003 SP2 server, pfsense 2.0, squid 2.7.9_4.2

Firstly you need to enter a port number! If you don't squid will store the server address in the squid.conf with a colin at the end. This may work for other LDAP servers but not windows server 2003 it seems. You can see this in the error below.

Unable to connect to LDAP server:192.168.10.218: port:389
2011/09/28 18:19:13| WARNING: basicauthenticator #4 (FD 15) exited

So the following authentication server port tip is false:

"Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port."

After carefully examining the Windows 2003 Active Directory adjustments section in the following blog I can up with the precise settings to work with WS 2003:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap#head-3793850746c1c1e7a0108faa8ae46f33bdd57bd9

The following works for me:

Authentication Method: ldap
ldap version: 3
Authentication server port:389
LDAP server user DN: CN="a user",CN="users CN",DC="etc",DC="etc"
LDAP password: "the password for that user"
LDAP base domain:cn="where the users are",dc=yourdomain,dc=etc,dc=etc
LDAP username DN attribute: blank
LDAP search filter:sAMAccountName=%s

Hope this helps. ;D

kaugustyn · Oct 3, 2011, 1:58 PM

I will try, but squid_ldap_auth command line I was entered with port parameter.
Will look at my config, but glade your works ! ;D

kaugustyn · Oct 10, 2011, 10:44 AM

Hmm, strange thing, but I can confirm that after fill up port authentication started to work :) I am pretty sure that in earlier verions it was not nessesery to fill up the port field and it works fine.