[squid-users] Basic LDAP Authentication

Mark Monaghan CLmjmonaghan at glowmail.org.uk
Wed Feb 25 12:22:41 UTC 2015 

Hi All,

          I'm wondering if anyone can help me with the following issue I'm having getting various non-domain devices (mainly tablets, but some non-domain windows and apple mac computers) working with the basic_ldap_auth helper. I've had a good search of the mailing list, as well as a huge trawl of the internet, but I cannot get the helper to work within squid, and all information points to the fact that I've got the command set up as it should be.


Testing on the command line works perfectly, with the helper returning the correct information. As soon as I attempt to do the same through squid, it fails, returning technically nothing.


I've even attempted different versions, from 3.2 right through to the latest 3.5, just in case there was a bug with one of the builds on the helper. All have the same result.


In production, I've got the proxy working with domain devices via kerberos authentication perfectly, but the basic ldap authentication fails. So I've got a development system where the config has been stripped right back to check the LDAP authentication, and the results are the same, so I know that I'm not having problems with any other authentication method failover.


If I put the following line on the cli, then a domain username and password, everything returns normally:


/usr/lib64/squid/basic_ldap_auth -d -v 3 -R -b "dc=domain,dc=com" -D "CN=KerbAuth,OU=ServiceAccounts,DC=domain,DC=com" -W /etc/squid/kerbauth -f sAMAccountName=%s -u uid -h windows2012r2.domain.com


Output:


ctest ctest3
basic_ldap_auth.cc(684): pid=20130 :user filter 'sAMAccountName=ctest', searchbase 'dc=domain,dc=com'
basic_ldap_auth.cc(739): pid=20130 :attempting to authenticate user 'CN=Test User,OU=Dept1,OU=Dept2,OU=Dept3,OU=Dept4,OU=Company,DC=domain,DC=com'
OK

However, when used within the squid.conf file, when a user attempts to authenticate, the output in the cache.log is this:

basic_ldap_auth.cc(684): pid=20006 :user filter 'sAMAccountName=0', searchbase 'dc=domain,dc=com'
basic_ldap_auth.cc(706): pid=20006 :Ldap search returned nothing


I'm at a complete loss as to what to do next.

If there is any further information that I can provide, I would be more than happy to provide it.

Cheers,
             Monty

OS: Centos 6.6

Squid.conf file:

dns_v4_first on
dns_nameservers 10.7.128.21 10.7.128.22
negative_dns_ttl 5 minutes
forwarded_for delete
via off
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
cache_dir aufs /cache 8192 16 256
cache_mem 256 MB
memory_pools on
maximum_object_size_in_memory 10 MB
maximum_object_size 50 MB
logfile_rotate 10
quick_abort_min 16 KB
quick_abort_max 16 KB
log_icp_queries off
client_db off
buffered_logs on

/usr/lib64/squid/basic_ldap_auth -d -v 3 -R -b "dc=domain,dc=com" -D "CN=KerbAuth,OU=ServiceAccounts,DC=domain,DC=com" -W /etc/squid/kerbauth -f sAMAccountName=%s -u uid -h windows2012r2.domain.com
auth_param basic children 80 startup=20 idle=10 concurrency=2
auth_param basic credentialsttl 5 hours

cache_peer 10.0.100.192 parent 8080 3130 no-query
cache_effective_user squid
cache_effective_group squid
visible_hostname Domain-Cache

acl SSL method CONNECT

acl SSL_ports port 443
acl SSL_ports port 1494 # Citrix XenApp
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 # https
acl Safe_ports port 1494 # Citrix XenApp
acl Safe_ports port 70 # ftp
acl Safe_ports port 210 # https
acl Safe_ports port 1025-65535 # gopher
acl Safe_ports port 280 # wais
acl Safe_ports port 488 # unregistered ports
acl Safe_ports port 591 # http-mgmt
acl Safe_ports port 777 # gss-http
acl Safe_ports port 143 # IMAP
acl Safe_ports port 993 # IMAP over SSL
acl Safe_ports port 82
acl GLOW_SMTP port 587
acl GLOW_IMAP port 993
acl CONNECT method CONNECT # filemaker

acl goodusers proxy_auth REQUIRED
deny_info ERR_BANNED badusers

http_access allow manager localhost
http_access deny all !goodusers
http_access allow all goodusers
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

http_port 3128
redirector_bypass off
coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
delay_pools 0

access_log stdio:/var/log/squid/access.log






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150225/bdff9e5e/attachment.html>

More information about the squid-users mailing list