Project

General

Profile

Bug #10379

squid not authenticate LDAP/RADIUS

Added by Ismael Peixoto Azambuja 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
03/27/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5
Affected Architecture:

Description

pfsense 2.4.4p3 with all packages updated, using squid with LDAP authentication was working perfectly, server with 2 years or more of smooth operation in previous updates, after upgrading to 2.4.5 both LDAP and RADIUS permanently apply for authentication even using valid credentials. Diagnostic/authentication testing successfully validates users. Only the Squid that is not working properly.

erro squid+ldap.PNG (187 KB) erro squid+ldap.PNG Ismael Peixoto Azambuja, 03/27/2020 09:15 AM
pfsense-squid.JPG (61.3 KB) pfsense-squid.JPG O 71, 03/29/2020 08:12 AM
error-pfsense-squid.JPG (45.1 KB) error-pfsense-squid.JPG O 71, 03/30/2020 05:08 PM

History

#2 Updated by Viktor Gurov 2 months ago

Ismael Peixoto Azambuja wrote:

pfsense 2.4.4p3 with all packages updated, using squid with LDAP authentication was working perfectly, server with 2 years or more of smooth operation in previous updates, after upgrading to 2.4.5 both LDAP and RADIUS permanently apply for authentication even using valid credentials. Diagnostic/authentication testing successfully validates users. Only the Squid that is not working properly.

Can you post "Squid - Cache Logs" content from the Squid realtime monitor page during authentication attempts?

---
No any radius auth changes since 0.4.44_9, so it doesn't seem to be https://redmine.pfsense.org/issues/9217
Most likely Squid 3 -> 4 specific issue

#3 Updated by Ismael Peixoto Azambuja 2 months ago

Apparently everything is right in the configuration, when I type user and password, in the log appears users. In this i'm testing now has no blocking rule on it, it is default and only with authentication.

#4 Updated by Ismael Peixoto Azambuja 2 months ago

Cache.log

[2.4.4-RELEASE][]/var/squid/logs: cat cache.log
2020/03/27 10:29:52 kid1| Starting Squid Cache version 4.9 for amd64-portbld-freebsd11.3...
2020/03/27 10:29:52 kid1| Service Name: squid
2020/03/27 11:02:32 kid1| Starting new basicauthenticator helpers...

#5 Updated by Ismael Peixoto Azambuja 2 months ago

I have not found the problem yet, but I did test on an outdated server, 2.4.4p3 squid 0.4.44_8 and everything works perfectly... Authentication with LDAP, Custom ACLs, and all other settings I have. The LDAP Server is the same for all tests. What I can say for sure, are not the parameters I use that may be wrong or LDAP used.

#6 Updated by Viktor Gurov 2 months ago

Local and RADIUS auth works fine

LDAP auth fix:
https://github.com/pfsense/FreeBSD-ports/pull/811

#7 Updated by Ismael Peixoto Azambuja 2 months ago

Viktor Gurov wrote:

Local and RADIUS auth works fine

LDAP auth fix:
https://github.com/pfsense/FreeBSD-ports/pull/811

Hi, i test this fix, but dont work here...
0.4.44_8 OK : auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=UERGS,DC=RS -D CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS -w password -f "sAMAccountName=%s" -u uid -P 172.16.0.16:389

0.4.44_15 Problem, I tried and it did not work here:

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' '-w password' -f 'sAMAccountName=%s' -u 'uid' -P '172.16.0.16:389'

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P '172.16.0.16:389'

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=UERGS,DC=RS -D CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS -w password -f sAMAccountName=%s -u uid -P 172.16.0.16:389

#8 Updated by Viktor Gurov 2 months ago

Ismael Peixoto Azambuja wrote:

Hi, i test this fix, but dont work here...

I have successfully tested this PR with Win2008R2 AD authentication.

Do you have any special symbols or special characters like æøå in you LDAP password?
Can you check it with simple password?
Or replace:

$password = (isset($settings['ldap_pass']) ? "-w " . escapeshellarg($settings['ldap_pass']) : '');

with
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');

#9 Updated by O 71 2 months ago

I have the same problem after update.

I think the problem comes from the -w parameter. It should be done like this:

-w 'password'

and no
'-w password'

For my part I have another problem, I was using the -R parameter, in pfsense there is no area provided to check or add this parameter. So I use the LDAP field Base to add it, it worked before : Domain = dc = domain, dc = lan -R

But now it doesn't work anymore because of '' which includes the whole:
-b 'dc = domain, dc = lan -R'
when it should
-b 'dc = domain, dc = lan' -R

I change in squid.conf and restart squid, it works :

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'dc=...,dc=...' -R -D 'cn=...,cn=...,dc=...,dc=...' -w 'password' -f '(sAMAccountName=%s)' -u '' -P 'IP:389'

But I can't use the GUI to set parameters :-/

Thanks a lot

#10 Updated by O 71 2 months ago

A picture of my test to illustrate

#11 Updated by Viktor Gurov 2 months ago

O 71 wrote:

I have the same problem after update.

I think the problem comes from the -w parameter. It should be done like this:

-w 'password'

and no
'-w password'

For my part I have another problem, I was using the -R parameter, in pfsense there is no area provided to check or add this parameter. So I use the LDAP field Base to add it, it worked before : Domain = dc = domain, dc = lan -R

PR fixes '-w password' issue,
+ now it adds

-R do not follow referrals
option

#12 Updated by Jim Pingle 2 months ago

  • Status changed from New to Feedback

PR was merged

#13 Updated by O 71 2 months ago

Hello,

I update to 0.4.44_16, I use LDAP Authentification. The password is ok, but it doesn't work correctly with the "-R " parameter

There is 2 problems :

1-

The -R parameter doesn't work if it's at the end of line (I don't know why). See the attached file.

2-

The "-R" parameter is always added to the squid.conf file (checkbox checked or not).

If I inspect the code of the checkbox I see :

<input name="ldap_noreferrals" id="ldap_noreferrals" type="checkbox" value="on">

So I think you should replace in the squid.inc file :

$noreferrals = (isset($settings['ldap_noreferrals']) ? "-R " : '');

with :

$noreferrals =($settings['ldap_noreferrals'] == 'on' ? "-R " : '');

And place the -R parameter before another paameter.

Thanks a lot

#14 Updated by Ismael Peixoto Azambuja 2 months ago

available update: 0.4.44_16, here all work perfect now.

do not know who to thank, but thanks for the correction!

#15 Updated by O 71 2 months ago

Hi Ismael,

Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?

I don't know why for me this paramter is always present.

Thanks

#16 Updated by O 71 2 months ago

I test and it works if I modify the file /usr/local/pkg/squid.inc like this :

 $password = (isset($settings['ldap_pass']) ? "-w " . escapeshellarg($settings['ldap_pass']) : '');
 $noreferrals = ($settings['ldap_noreferrals'] == 'on' ? " -R" : '');
 $conf .= "auth_param basic program " . SQUID_LOCALBASE
         . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b " . escapeshellarg($settings['ldap_basedomain'])
         . $noreferrals
         . " -D " . escapeshellarg($settings['ldap_user']) . " " . $password
         . " -f " . escapeshellarg($settings['ldap_filter']) . " -u " . escapeshellarg($settings['ldap_userattribute'])
         . " -P " . escapeshellarg($settings['auth_server'] . $port) . "\n";
break;

Can you do the update of the pkg ?

Thanks a lot

#18 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Pull Request Review

#19 Updated by Ismael Peixoto Azambuja 2 months ago

O 71 wrote:

Hi Ismael,

Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?

I don't know why for me this paramter is always present.

Thanks

Hi, after the update...(squid.conf)

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P 'LDAP.UERGS.RS:389' -R

#20 Updated by O 71 2 months ago

Ismael Peixoto Azambuja wrote:

O 71 wrote:

Hi Ismael,

Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?

I don't know why for me this paramter is always present.

Thanks

Hi, after the update...(squid.conf)

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P 'LDAP.UERGS.RS:389' -R

Thanks Ismael
Is the "-R" parameter at the end of the line not blocking for you? I don't understand why in my case it only works if this parameter is placed before the "-P" parameter.

#21 Updated by Jim Pingle 2 months ago

  • Status changed from Pull Request Review to Feedback

PR 814 was merged

#22 Updated by Viktor Gurov about 2 months ago

  • Status changed from Feedback to Resolved

works as expected on 2.4.5 with squid 0.4.44_19

Also available in: Atom PDF