Project

General

Profile

Actions
Copy link

Bug #7654

closed

Can't use a LDAP search filter containing an accent

Added by mr xhark over 7 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
Squid
Target version:
pfSense - 2.4.5-p1
Start date:
06/20/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.3.4
Affected Plus Version:
Affected Architecture:
All

Description

Hi,

I use a virtual machine with pfSense 2.3.4 (amd64) with Squid package v0.4.37 (including squid 3.5.26).

I have to bind to an active directory, so in Services > Squid Proxy Server > Authentication I choose :
  • LDAP
  • IP of the DC
  • Port 389
  • LDAP version : 3
  • LDAP Server User DN : CN=pfsensead,CN=Users,DC=corp,DC=lan
  • LDAP Password : ****
  • LDAP Base Domain : DC=corp,DC=lan
  • LDAP Username DN Attribute : sAMAccountName
  • LDAP Search Filter : (&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan)(sAMAccountName=%s))

With this configuration an active directory user must be member of the group "proxy-allow" to be authenticated by Squid.

The issue is the accent "é" in the OU name.
I tried with no space in OU, it does not work.
I tried with space and no accent : it works.
I tried with no group and LDAP Search filter : "((sAMAccountName=%s)" : it work.

When I click on Save pfSense ignore modification.

I don't know if it's an encoding issue in the web interface or in the config file. And... I know it's a very bad idea to have an accent (or a space) in LDAP path, but I am not at the origin of this.

Regards

Actions
Copy link
 #1

Updated by Viktor Gurov over 4 years ago

CDATA encode Squid LDAP options:
https://github.com/pfsense/pfsense/pull/4265

Actions
Copy link
 #2

Updated by Viktor Gurov over 4 years ago

TODO:
CDATA encode FreeRADIUS LDAP options

Actions
Copy link
 #3

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #4

Updated by Jim Pingle over 4 years ago

  • Target version set to 2.5.0
Actions
Copy link
 #5

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions
Copy link
 #6

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200409.0657:

# grep ldap /usr/local/etc/squid/squid.conf
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=corp,DC=lan'  -D 
'CN=pfsensead,CN=Users,DC=corp,DC=lan' -w '123' -f '(&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan)
(sAMAccountName=%s))' -u 'sAMAccountName' -P -H 'ldap://192.168.1.10:389'

Actions
Copy link
 #7

Updated by Jim Pingle over 4 years ago

  • Status changed from Resolved to Feedback
  • Target version changed from 2.5.0 to 2.4.5-p1
Actions
Copy link
 #8

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

Supplied string is saved as expected and without error.

Actions
Copy link

Also available in: Atom PDF