Squid Proxy with ldap Authentication

net_admin · Feb 9, 2016, 10:08 PM

I am setting up a pfsense firewall with a squid3 proxy. I am looking to authenticate against an openldap server using the starttls option. The server does not allow authentication or binds to be performed unless ssl or starttls is used.

I do not see an option in the squid setting page to set these options - or to specify a CA to use for building the trust relationship.

Is there an option I am overlooking, or is this set some place else (cli maybe?)

Thanks

net_admin · Feb 10, 2016, 7:53 PM

So I was able to make this work:

scp Root Cert to pfsense (I sent it to /opt/ca.pem)
Edit squid.inc file, and add -ZZ option to the command (note: option requires version 3)
The -ZZ option specifies to use startTLS

File: /usr/local/pkg/squid.inc (search file for appropriate line)
From ->

$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_ver
sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib
ute']} -P {$settings['auth_server']}$port\n";

To ->

$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -ZZ -v {$settings['ldap_ver
sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib
ute']} -P {$settings['auth_server']}$port\n";

Edit squid.conf with same option:
File: /usr/pbi/squid-amd64/local/etc/squid/squid.conf (search file for appropriate line)
From ->

auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv
ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389

To ->

auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -ZZ -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv
ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389

4. Edit ldap.conf file to point to ca.pem like:
File:/usr/pbi/squid-amd64/local/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
TLS_CACERT /opt/ca.pem
TLS_REQCERT allow

With all this being said - my concern is that these changes will be overwritten at some point due to an update, reboot, restart, ect. What is the preferred method for adding changes/options that are not directly supported via the GUI?

If all possible I would prefer to do this via the GUI (still hoping I missed the option) - I would like to stay away from these kind of customizations as much as possible.

robertfranz · Sep 25, 2016, 9:56 PM

This going to sounds odd - but on the Squid Local Cache tab, at the bottom of the pager is a section labelled Dynamic and Update Content.

In that section is a text box "Custom refresh_patterns"

Apparently, there are a lot of options that can be passed here - I know I've passed log directives to change to combined and pipe it through syslog_ng.

Quite possible that your code could be passed here, and it does survive reboots and (so far) upgrades.