Squid 3 LDAP Group Authentication

Fabzster

Hi

I have been battling with this for 3 days now and it's driving me a little crazy.

I can authenticate via user using Ldap using the following search filter:
sAMAccountName=%s

I cannot seem to get this done with a group however… I have tried the following search filters:

• (&(memberOf=cn=ProxyAccess,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))

• (&(objectCategory=user)(memberOf=cn=ProxyAccess,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))

Whilst trying to authenticate, I run tail -f cache.log and I cannot see any errors

Can anyone please assist me?

Is there also a way getting more detailed  logging so I can try figure out what is going on?

I am assuming it is the search filter as I can authenticate when just using the user search filter

Your assistance is greatly appreciated

Fabzster

so nobody then? ???

Jambro1964

Check the squid.conf file, there is a bug in how this file is put together from the squid web page screens.
/usr/pbi/squid-amd64/etc/squid/squid.conf
Scroll down you should see this line:

auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ldap_auth -R -v 3 -b dc=csla,dc=local -D XXXXX@csla.local -w XXXXXX -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -u uid -h hsserver01.csla.local

So add the -R and change the -P to -h in front of the server and take the : off the end. What sucks is that it will add it all back in if you reboot the server or make any changes on the squid web pages.
I haven't found the script that creates this conf file to fix it yet. Hoping that the developer would fix this and the whitelist error of not using dstdomain to parse the domain names in the whitelist.acl file.

Hope this helps,

Jim Ambrose

Cino

Check /usr/local/pkg/squid.inc

Fabzster

@Jambro1964:

Check the squid.conf file, there is a bug in how this file is put together from the squid web page screens.
/usr/pbi/squid-amd64/etc/squid/squid.conf
Scroll down you should see this line:

auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ldap_auth -R -v 3 -b dc=csla,dc=local -D XXXXX@csla.local -w XXXXXX -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -u uid -h hsserver01.csla.local

So add the -R and change the -P to -h in front of the server and take the : off the end. What sucks is that it will add it all back in if you reboot the server or make any changes on the squid web pages.
I haven't found the script that creates this conf file to fix it yet. Hoping that the developer would fix this and the whitelist error of not using dstdomain to parse the domain names in the whitelist.acl file.

Hope this helps,

Jim Ambrose

Many thanks for taking the time to respond,

I see that your search filter is only looking for user and not for the user that belongs to a specific group.
I require that if a user belongs to a group even if not in the same OU as the group it should authenticate.

Imagine the following:

MyDomain.local
|
|
|Company(OU)
|    |
|    |Office(OU)
|    |
|    |Executives(OU)
|
|
|pfsense(OU)
|  |
|  |__Allowed(CN)

If I use the Search filter to just check if the user exists in pfsense(OU) then this authenticates 100% as long as the user exists in the pfsense OU.

If I use the filter (&(memberOf=cn=Allowed,ou=pfsense,dc=MyDomain,dc=local)(sAMAccountName=%s))
to check if a user belongs to the Allowed group then this only works if that user exists in the pfsense OU
If the user however exists in the Office OU and is a member of the Allowed group it fails.

Desired result:

I would love it if I could add users that belong to the Office and Executives OU's to the Allowed group and use squid to authenticate against that.

Note:

It seems as thought the search query that I am using is matching if the user exists in the container AND(&) is a member of the Group Allowed.

I think I need a search filter to check if the user just belongs to the Allowed group.

Fabzster

Can anyone else assist please, someone has to have gotten this right??

Fabzster

come on, someone must have this config working

Jambro1964

I use groups not OUs. Then based on the group the user is in my content filter has different levels of filtering. So you could use something like this to filter for approved proxy access by group:
CN=internetusers,CN=Users,DC=csla,DC=local

Some filter sites to help:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
https://confluence.atlassian.com/display/DEV/How+to+Write+LDAP+Search+Filters

I also use:
JXplorer to query my AD via LDAP and use those queries in this string. If my memory serves correctly I don't think you can use OUs in an LDAP query? I think I had the same problem and had to use groups instead.

Jim

nickboy360

Hi I had searched and banged my head for a while and finally figured out a way to authenticate users on squid3 using group authentication

for eg:- a group in ldap INTERNET having few members will get internet access rather then all of them.

auth_param basic program /usr/lib/squid/ldap_auth -v 3 -ZZ -b "dc=intra,dc=example,dc=com" -f uid=%s -h ip/hostname of ldap
external_acl_type ldapgroups ttl=5 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -ZZ -b "dc=intra,dc=example,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ip/hostname
acl ldapgroup external ldapgroups internet
auth_param basic children 200
auth_param basic realm test-Web Squid3 Proxy Server
auth_param basic credentialsttl 1 minute
acl ldap-auth proxy_auth REQUIRED

http_access deny !ldapgroup
http_access allow ldap-auth
http_access allow localnet
cache_peer localhost parent 3129 0 no-query proxy-only login=*:nopassword
http_access deny all