Bug #10379
closedsquid not authenticate LDAP/RADIUS
Added by Ismael Peixoto Azambuja about 5 years ago. Updated about 5 years ago.
0%
Description
pfsense 2.4.4p3 with all packages updated, using squid with LDAP authentication was working perfectly, server with 2 years or more of smooth operation in previous updates, after upgrading to 2.4.5 both LDAP and RADIUS permanently apply for authentication even using valid credentials. Diagnostic/authentication testing successfully validates users. Only the Squid that is not working properly.
Files
erro squid+ldap.PNG (187 KB) erro squid+ldap.PNG | Ismael Peixoto Azambuja, 03/27/2020 09:15 AM | ||
pfsense-squid.JPG (61.3 KB) pfsense-squid.JPG | O 71, 03/29/2020 08:12 AM | ||
error-pfsense-squid.JPG (45.1 KB) error-pfsense-squid.JPG | O 71, 03/30/2020 05:08 PM |
Updated by Viktor Gurov about 5 years ago
seems regression by https://redmine.pfsense.org/issues/9217
Updated by Viktor Gurov about 5 years ago
Ismael Peixoto Azambuja wrote:
pfsense 2.4.4p3 with all packages updated, using squid with LDAP authentication was working perfectly, server with 2 years or more of smooth operation in previous updates, after upgrading to 2.4.5 both LDAP and RADIUS permanently apply for authentication even using valid credentials. Diagnostic/authentication testing successfully validates users. Only the Squid that is not working properly.
Can you post "Squid - Cache Logs" content from the Squid realtime monitor page during authentication attempts?
---
No any radius auth changes since 0.4.44_9, so it doesn't seem to be https://redmine.pfsense.org/issues/9217
Most likely Squid 3 -> 4 specific issue
Updated by Ismael Peixoto Azambuja about 5 years ago
- File erro squid+ldap.PNG erro squid+ldap.PNG added
Apparently everything is right in the configuration, when I type user and password, in the log appears users. In this i'm testing now has no blocking rule on it, it is default and only with authentication.
Updated by Ismael Peixoto Azambuja about 5 years ago
Cache.log
[2.4.4-RELEASE][admin@PFLog01.intra.uergs.rs]/var/squid/logs: cat cache.log
2020/03/27 10:29:52 kid1| Starting Squid Cache version 4.9 for amd64-portbld-freebsd11.3...
2020/03/27 10:29:52 kid1| Service Name: squid
2020/03/27 11:02:32 kid1| Starting new basicauthenticator helpers...
Updated by Ismael Peixoto Azambuja about 5 years ago
I have not found the problem yet, but I did test on an outdated server, 2.4.4p3 squid 0.4.44_8 and everything works perfectly... Authentication with LDAP, Custom ACLs, and all other settings I have. The LDAP Server is the same for all tests. What I can say for sure, are not the parameters I use that may be wrong or LDAP used.
Updated by Viktor Gurov about 5 years ago
Local and RADIUS auth works fine
LDAP auth fix:
https://github.com/pfsense/FreeBSD-ports/pull/811
Updated by Ismael Peixoto Azambuja about 5 years ago
Viktor Gurov wrote:
Local and RADIUS auth works fine
LDAP auth fix:
https://github.com/pfsense/FreeBSD-ports/pull/811
Hi, i test this fix, but dont work here...
0.4.44_8 OK : auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=UERGS,DC=RS -D CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS -w password -f "sAMAccountName=%s" -u uid -P 172.16.0.16:389
0.4.44_15 Problem, I tried and it did not work here:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' '-w password' -f 'sAMAccountName=%s' -u 'uid' -P '172.16.0.16:389'
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P '172.16.0.16:389'
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=UERGS,DC=RS -D CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS -w password -f sAMAccountName=%s -u uid -P 172.16.0.16:389
Updated by Viktor Gurov about 5 years ago
Ismael Peixoto Azambuja wrote:
Hi, i test this fix, but dont work here...
I have successfully tested this PR with Win2008R2 AD authentication.
Do you have any special symbols or special characters like æøå in you LDAP password?
Can you check it with simple password?
Or replace:
$password = (isset($settings['ldap_pass']) ? "-w " . escapeshellarg($settings['ldap_pass']) : '');
with
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
Updated by O 71 about 5 years ago
I have the same problem after update.
I think the problem comes from the -w parameter. It should be done like this:
-w 'password'
and no
'-w password'
For my part I have another problem, I was using the -R parameter, in pfsense there is no area provided to check or add this parameter. So I use the LDAP field Base to add it, it worked before : Domain = dc = domain, dc = lan -R
But now it doesn't work anymore because of '' which includes the whole:
-b 'dc = domain, dc = lan -R'
when it should
-b 'dc = domain, dc = lan' -R
I change in squid.conf and restart squid, it works :
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'dc=...,dc=...' -R -D 'cn=...,cn=...,dc=...,dc=...' -w 'password' -f '(sAMAccountName=%s)' -u '' -P 'IP:389'
But I can't use the GUI to set parameters :-/
Thanks a lot
Updated by O 71 about 5 years ago
- File pfsense-squid.JPG pfsense-squid.JPG added
A picture of my test to illustrate
Updated by Viktor Gurov about 5 years ago
O 71 wrote:
I have the same problem after update.
I think the problem comes from the -w parameter. It should be done like this:
-w 'password'
and no
'-w password'For my part I have another problem, I was using the -R parameter, in pfsense there is no area provided to check or add this parameter. So I use the LDAP field Base to add it, it worked before : Domain = dc = domain, dc = lan -R
PR fixes '-w password' issue,
+ now it adds
-R do not follow referralsoption
Updated by O 71 about 5 years ago
- File error-pfsense-squid.JPG error-pfsense-squid.JPG added
Hello,
I update to 0.4.44_16, I use LDAP Authentification. The password is ok, but it doesn't work correctly with the "-R " parameter
There is 2 problems :
1-
The -R parameter doesn't work if it's at the end of line (I don't know why). See the attached file.
2-
The "-R" parameter is always added to the squid.conf file (checkbox checked or not).
If I inspect the code of the checkbox I see :
<input name="ldap_noreferrals" id="ldap_noreferrals" type="checkbox" value="on">
So I think you should replace in the squid.inc file :
$noreferrals = (isset($settings['ldap_noreferrals']) ? "-R " : '');
with :
$noreferrals =($settings['ldap_noreferrals'] == 'on' ? "-R " : '');
And place the -R parameter before another paameter.
Thanks a lot
Updated by Ismael Peixoto Azambuja about 5 years ago
available update: 0.4.44_16, here all work perfect now.
do not know who to thank, but thanks for the correction!
Updated by O 71 about 5 years ago
Hi Ismael,
Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?
I don't know why for me this paramter is always present.
Thanks
Updated by O 71 about 5 years ago
I test and it works if I modify the file /usr/local/pkg/squid.inc like this :
$password = (isset($settings['ldap_pass']) ? "-w " . escapeshellarg($settings['ldap_pass']) : '');
$noreferrals = ($settings['ldap_noreferrals'] == 'on' ? " -R" : '');
$conf .= "auth_param basic program " . SQUID_LOCALBASE
. "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b " . escapeshellarg($settings['ldap_basedomain'])
. $noreferrals
. " -D " . escapeshellarg($settings['ldap_user']) . " " . $password
. " -f " . escapeshellarg($settings['ldap_filter']) . " -u " . escapeshellarg($settings['ldap_userattribute'])
. " -P " . escapeshellarg($settings['auth_server'] . $port) . "\n";
break;
Can you do the update of the pkg ?
Thanks a lot
Updated by Viktor Gurov about 5 years ago
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Pull Request Review
Updated by Ismael Peixoto Azambuja about 5 years ago
O 71 wrote:
Hi Ismael,
Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?I don't know why for me this paramter is always present.
Thanks
Hi, after the update...(squid.conf)
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P 'LDAP.UERGS.RS:389' -R
Updated by O 71 about 5 years ago
Ismael Peixoto Azambuja wrote:
O 71 wrote:
Hi Ismael,
Can you give me the line write in the squid.conf file ?
If you check or uncheck "LDAP follow referrals" the "-R" parameter is added or not ?I don't know why for me this paramter is always present.
Thanks
Hi, after the update...(squid.conf)
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=UERGS,DC=RS' -D 'CN=SQUID,OU=ADMINS,DC=UERGS,DC=RS' -w 'password' -f 'sAMAccountName=%s' -u 'uid' -P 'LDAP.UERGS.RS:389' -R
Thanks Ismael
Is the "-R" parameter at the end of the line not blocking for you? I don't understand why in my case it only works if this parameter is placed before the "-P" parameter.
Updated by Jim Pingle about 5 years ago
- Status changed from Pull Request Review to Feedback
PR 814 was merged
Updated by Viktor Gurov about 5 years ago
- Status changed from Feedback to Resolved
works as expected on 2.4.5 with squid 0.4.44_19