Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Authentication - Almost there…but not yet

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      golmaal
      last edited by

      Just installed pfsense and squid (2.7) on a spare machine. I am trying to get Squid to authenticate AD users via LDAP.

      First I tried this: http://vicryhc.wordpress.com/2013/07/08/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/

      My domain name is ads.example.local

      LDAP server user DN: cn=squid,cn=Users,dc=ads,dc=example,dc=local
      LDAP password: mypassword
      LDAP base domain: dc=ads,dc=example,dc=local
      LDAP username DN attribute: uid
      LDAP search filter: (sAMAccountName=%s)

      To my dismay it didn't work; so I experimented a bit and changed the base domain:

      LDAP base domain: _cn=Users,_dc=ads,dc=example,dc=local

      And bingo! It worked. However, this setup is meant to authenticate just one user - "squid" which is in Users container in my AD.

      So I continued further with same guide which also shows how to authenticate a group of users.

      I created a group named "InternetUsers" in the "Users" container in AD and added some users to it.

      I then changed the settings:
      LDAP server user DN: cn=squid,cn=Users,dc=ads,dc=example,dc=local
      LDAP password: mypassword
      LDAP base domain: dc=ads,dc=example,dc=local
      LDAP username DN attribute: uid

      As per the guide, I entered following value for LDAP search filter:
      (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))

      This couldn't authenticate any user. So I experimented a bit with it…
      Also tried  LDAP base domain: _cn=Users,_dc=ads,dc=example,dc=local

      But no luck whatsoever. Squid log entries show "Operational error" - nothing specific.

      So something is wrong with either my LDAP search filter or the base domain value.

      Any suggestions to correct my mistake? Or any LDAP analyzer tool which I can install on AD server that can help me debug my settings?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • G
        golmaal
        last edited by

        Update:

        I am trying these values in Squid GUI:

        LDAP base domain: cn=Users,dc=ads,dc=example,dc=local
        LDAP username DN attribute: samAccountName
        LDAP search filter: (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))
        

        This doesn't work on pfsense box; but when I run the same exact query in LDP.exe tool on AD server, it works and returns the user name.

        In addition to this, there is one more issue.
        The container "InternetUsers" is a security group which is in "Users" container in the AD; the members of this group ("InternetUsers") are spread across various OU. So in order to authenticate them, I have to supply multiple "base dn" values.

        Still looking for help.

        1 Reply Last reply Reply Quote 0
        • G
          golmaal
          last edited by

          Final Update & Closing:

          My settings:

          LDAP base domain: cn=Users,dc=ads,dc=example,dc=local
          LDAP username DN attribute: samAccountName
          LDAP search filter: (&(memberOf=CN=InternetUsers,CN=Users,DC=ads,DC=example,DC=local)(sAMAccountName=%s))
          
          

          AD structure:
          Container: Users > squid, test, administrator
          Other Containers (OU):

          OU Main
                      –- OU1 --- User1
                      --- OU2 --- User2

          All these users have been added to security group (global) named InternetUsers and this group resides in the "Users" container.

          I am able to verify three users - test, squid, and administrator which are in Users container; but I am not able to authenticate User1 and User2 which are placed elsewhere in AD even though they are members of InternetUsers group.

          I conclude that the search is limited to one level only. So either I have to find a way to provide multiple Base Domain values, or find a way to make the search query recursive. Both would perhaps require me to directly edit the .inc file. I am not planning to do it and will leave it at that. I would rather create local users in Squid and now focus on learning SquidGuard.

          Thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.