Squid Authentication - Almost there…but not yet


  • Just installed pfsense and squid (2.7) on a spare machine. I am trying to get Squid to authenticate AD users via LDAP.

    First I tried this: http://vicryhc.wordpress.com/2013/07/08/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/

    My domain name is ads.example.local

    LDAP server user DN: cn=squid,cn=Users,dc=ads,dc=example,dc=local
    LDAP password: mypassword
    LDAP base domain: dc=ads,dc=example,dc=local
    LDAP username DN attribute: uid
    LDAP search filter: (sAMAccountName=%s)

    To my dismay it didn't work; so I experimented a bit and changed the base domain:

    LDAP base domain: _cn=Users,_dc=ads,dc=example,dc=local

    And bingo! It worked. However, this setup is meant to authenticate just one user - "squid" which is in Users container in my AD.

    So I continued further with same guide which also shows how to authenticate a group of users.

    I created a group named "InternetUsers" in the "Users" container in AD and added some users to it.

    I then changed the settings:
    LDAP server user DN: cn=squid,cn=Users,dc=ads,dc=example,dc=local
    LDAP password: mypassword
    LDAP base domain: dc=ads,dc=example,dc=local
    LDAP username DN attribute: uid

    As per the guide, I entered following value for LDAP search filter:
    (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))

    This couldn't authenticate any user. So I experimented a bit with it…
    Also tried  LDAP base domain: _cn=Users,_dc=ads,dc=example,dc=local

    But no luck whatsoever. Squid log entries show "Operational error" - nothing specific.

    So something is wrong with either my LDAP search filter or the base domain value.

    Any suggestions to correct my mistake? Or any LDAP analyzer tool which I can install on AD server that can help me debug my settings?

    Thanks in advance.


  • Update:

    I am trying these values in Squid GUI:

    LDAP base domain: cn=Users,dc=ads,dc=example,dc=local
    LDAP username DN attribute: samAccountName
    LDAP search filter: (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))
    

    This doesn't work on pfsense box; but when I run the same exact query in LDP.exe tool on AD server, it works and returns the user name.

    In addition to this, there is one more issue.
    The container "InternetUsers" is a security group which is in "Users" container in the AD; the members of this group ("InternetUsers") are spread across various OU. So in order to authenticate them, I have to supply multiple "base dn" values.

    Still looking for help.


  • Final Update & Closing:

    My settings:

    LDAP base domain: cn=Users,dc=ads,dc=example,dc=local
    LDAP username DN attribute: samAccountName
    LDAP search filter: (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))
    
    

    AD structure:
    Container: Users > squid, test, administrator
    Other Containers (OU):

    OU Main
                –- OU1 --- User1
                --- OU2 --- User2

    All these users have been added to security group (global) named InternetUsers and this group resides in the "Users" container.

    I am able to verify three users - test, squid, and administrator which are in Users container; but I am not able to authenticate User1 and User2 which are placed elsewhere in AD even though they are members of InternetUsers group.

    I conclude that the search is limited to one level only. So either I have to find a way to provide multiple Base Domain values, or find a way to make the search query recursive. Both would perhaps require me to directly edit the .inc file. I am not planning to do it and will leave it at that. I would rather create local users in Squid and now focus on learning SquidGuard.

    Thanks