Project

General

Profile

Bug #7654

Can't use a LDAP search filter containing an accent

Added by mr xhark over 3 years ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
Squid
Target version:
pfSense - 2.4.5-p1
Start date:
06/20/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.4
Affected Architecture:
All

Description

Hi,

I use a virtual machine with pfSense 2.3.4 (amd64) with Squid package v0.4.37 (including squid 3.5.26).

I have to bind to an active directory, so in Services > Squid Proxy Server > Authentication I choose :
  • LDAP
  • IP of the DC
  • Port 389
  • LDAP version : 3
  • LDAP Server User DN : CN=pfsensead,CN=Users,DC=corp,DC=lan
  • LDAP Password : ****
  • LDAP Base Domain : DC=corp,DC=lan
  • LDAP Username DN Attribute : sAMAccountName
  • LDAP Search Filter : (&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan)(sAMAccountName=%s))

With this configuration an active directory user must be member of the group "proxy-allow" to be authenticated by Squid.

The issue is the accent "é" in the OU name.
I tried with no space in OU, it does not work.
I tried with space and no accent : it works.
I tried with no group and LDAP Search filter : "((sAMAccountName=%s)" : it work.

When I click on Save pfSense ignore modification.

I don't know if it's an encoding issue in the web interface or in the config file. And... I know it's a very bad idea to have an accent (or a space) in LDAP path, but I am not at the origin of this.

Regards

Associated revisions

Revision f14c9058 (diff)
Added by Viktor Gurov 10 months ago

CDATA encode Squid LDAP options. Issue #7654

Revision 72aa3cf9 (diff)
Added by Viktor Gurov 9 months ago

CDATA encode Squid LDAP options. Issue #7654

(cherry picked from commit f14c90586d33493951debc977244f83dcd095b83)

History

#1 Updated by Viktor Gurov 10 months ago

CDATA encode Squid LDAP options:
https://github.com/pfsense/pfsense/pull/4265

#2 Updated by Viktor Gurov 10 months ago

TODO:
CDATA encode FreeRADIUS LDAP options

#3 Updated by Jim Pingle 10 months ago

  • Status changed from New to Pull Request Review

#4 Updated by Jim Pingle 10 months ago

  • Target version set to 2.5.0

#5 Updated by Renato Botelho 10 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Viktor Gurov 10 months ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200409.0657:

# grep ldap /usr/local/etc/squid/squid.conf
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=corp,DC=lan'  -D 
'CN=pfsensead,CN=Users,DC=corp,DC=lan' -w '123' -f '(&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan)
(sAMAccountName=%s))' -u 'sAMAccountName' -P -H 'ldap://192.168.1.10:389'

#7 Updated by Jim Pingle 9 months ago

  • Status changed from Resolved to Feedback
  • Target version changed from 2.5.0 to 2.4.5-p1

#8 Updated by Jim Pingle 9 months ago

  • Status changed from Feedback to Resolved

Supplied string is saved as expected and without error.

Also available in: Atom PDF