Squid 3 LDAP Group Authentication



  • Hi

    I have been battling with this for 3 days now and it's driving me a little crazy.

    I can authenticate via user using Ldap using the following search filter:
    sAMAccountName=%s

    I cannot seem to get this done with a group however… I have tried the following search filters:

    • (&(memberOf=cn=ProxyAccess,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))

    • (&(objectCategory=user)(memberOf=cn=ProxyAccess,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))

    Whilst trying to authenticate, I run tail -f cache.log and I cannot see any errors

    Can anyone please assist me?

    Is there also a way getting more detailed  logging so I can try figure out what is going on?

    I am assuming it is the search filter as I can authenticate when just using the user search filter

    Your assistance is greatly appreciated



  • so nobody then? ???



  • Check the squid.conf file, there is a bug in how this file is put together from the squid web page screens.
    /usr/pbi/squid-amd64/etc/squid/squid.conf
    Scroll down you should see this line:

    auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ldap_auth -R -v 3 -b dc=csla,dc=local -D XXXXX@csla.local -w XXXXXX -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -u uid -h hsserver01.csla.local

    So add the -R and change the -P to -h in front of the server and take the : off the end. What sucks is that it will add it all back in if you reboot the server or make any changes on the squid web pages.
    I haven't found the script that creates this conf file to fix it yet. Hoping that the developer would fix this and the whitelist error of not using dstdomain to parse the domain names in the whitelist.acl file.

    Hope this helps,

    Jim Ambrose



  • Check /usr/local/pkg/squid.inc



  • @Jambro1964:

    Check the squid.conf file, there is a bug in how this file is put together from the squid web page screens.
    /usr/pbi/squid-amd64/etc/squid/squid.conf
    Scroll down you should see this line:

    auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ldap_auth -R -v 3 -b dc=csla,dc=local -D XXXXX@csla.local -w XXXXXX -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -u uid -h hsserver01.csla.local

    So add the -R and change the -P to -h in front of the server and take the : off the end. What sucks is that it will add it all back in if you reboot the server or make any changes on the squid web pages.
    I haven't found the script that creates this conf file to fix it yet. Hoping that the developer would fix this and the whitelist error of not using dstdomain to parse the domain names in the whitelist.acl file.

    Hope this helps,

    Jim Ambrose

    Many thanks for taking the time to respond,

    I see that your search filter is only looking for user and not for the user that belongs to a specific group.
    I require that if a user belongs to a group even if not in the same OU as the group it should authenticate.

    Imagine the following:

    MyDomain.local
    |
    |
    |Company(OU)
    |    |
    |    |
    Office(OU)
    |    |
    |    |Executives(OU)
    |
    |
    |
    pfsense(OU)
    |  |
    |  |__Allowed(CN)

    If I use the Search filter to just check if the user exists in pfsense(OU) then this authenticates 100% as long as the user exists in the pfsense OU.

    If I use the filter (&(memberOf=cn=Allowed,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))
    to check if a user belongs to the Allowed group then this only works if that user exists in the pfsense OU
    If the user however exists in the Office OU and is a member of the Allowed group it fails.

    Desired result:

    I would love it if I could add users that belong to the Office and Executives OU's to the Allowed group and use squid to authenticate against that.

    Note:

    It seems as thought the search query that I am using is matching if the user exists in the container AND(&) is a member of the Group Allowed.

    I think I need a search filter to check if the user just belongs to the Allowed group.



  • Can anyone else assist please, someone has to have gotten this right??



  • come on, someone must have this config working



  • I use groups not OUs. Then based on the group the user is in my content filter has different levels of filtering. So you could use something like this to filter for approved proxy access by group:
    CN=internetusers,CN=Users,DC=csla,DC=local

    Some filter sites to help:
    http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
    https://confluence.atlassian.com/display/DEV/How+to+Write+LDAP+Search+Filters

    I also use:
    JXplorer to query my AD via LDAP and use those queries in this string. If my memory serves correctly I don't think you can use OUs in an LDAP query? I think I had the same problem and had to use groups instead.

    Jim



  • Hi I had searched and banged my head for a while and finally figured out a way to authenticate users on squid3 using group authentication

    for eg:- a group in ldap INTERNET having few members will get internet access rather then all of them.

    auth_param basic program /usr/lib/squid/ldap_auth -v 3 -ZZ -b "dc=intra,dc=example,dc=com" -f uid=%s -h ip/hostname of ldap
    external_acl_type ldapgroups ttl=5 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -ZZ -b "dc=intra,dc=example,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ip/hostname
    acl ldapgroup external ldapgroups internet
    auth_param basic children 200
    auth_param basic realm test-Web Squid3 Proxy Server
    auth_param basic credentialsttl 1 minute
    acl ldap-auth proxy_auth REQUIRED

    http_access deny !ldapgroup
    http_access allow ldap-auth
    http_access allow localnet
    cache_peer localhost parent 3129 0 no-query proxy-only login=*:nopassword
    http_access deny all


Log in to reply