[squid-users] Basic LDAP Authentication

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 26 05:09:06 UTC 2015 

On 26/02/2015 1:22 a.m., Mark Monaghan wrote:
> Hi All,
> 

> I'm wondering if anyone can help me with the following issue I'm
having getting various non-domain devices (mainly tablets, but some
non-domain windows and apple mac computers) working with the
basic_ldap_auth helper. I've had a good search of the mailing list, as
well as a huge trawl of the internet, but I cannot get the helper to
work within squid, and all information points to the fact that I've got
the command set up as it should be.
> 
> 
> Testing on the command line works perfectly, with the helper
> returning
the correct information. As soon as I attempt to do the same through
squid, it fails, returning technically nothing.
> 
> 
> I've even attempted different versions, from 3.2 right through to
> the
latest 3.5, just in case there was a bug with one of the builds on the
helper. All have the same result.
> 
> 
> In production, I've got the proxy working with domain devices via
kerberos authentication perfectly, but the basic ldap authentication
fails. So I've got a development system where the config has been
stripped right back to check the LDAP authentication, and the results
are the same, so I know that I'm not having problems with any other
authentication method failover.
> 
> 
> If I put the following line on the cli, then a domain username and
password, everything returns normally:
> 
> 
> /usr/lib64/squid/basic_ldap_auth -d -v 3 -R -b "dc=domain,dc=com" -D
"CN=KerbAuth,OU=ServiceAccounts,DC=domain,DC=com" -W /etc/squid/kerbauth
-f sAMAccountName=%s -u uid -h windows2012r2.domain.com

> 
> Output:
> 
> 
> ctest ctest3
> basic_ldap_auth.cc(684): pid=20130 :user filter 'sAMAccountName=ctest', searchbase 'dc=domain,dc=com'
> basic_ldap_auth.cc(739): pid=20130 :attempting to authenticate user 'CN=Test User,OU=Dept1,OU=Dept2,OU=Dept3,OU=Dept4,OU=Company,DC=domain,DC=com'
> OK
> 
> However, when used within the squid.conf file, when a user attempts to authenticate, the output in the cache.log is this:
> 
> basic_ldap_auth.cc(684): pid=20006 :user filter 'sAMAccountName=0', searchbase 'dc=domain,dc=com'
> basic_ldap_auth.cc(706): pid=20006 :Ldap search returned nothing
> 
> 
> I'm at a complete loss as to what to do next.

That helper does not support concurrency. Your test works because it is
not testing what Squid is sending, but what the helper actually expects.

Squid is sending it "0 ctest ctest3" ... "channel-ID username password".

The relevant config line is:

> auth_param basic children 80 startup=20 idle=10 concurrency=2

Should be:
  auth_param basic children 80 startup=20 idle=10 concurrency=0


Amos

More information about the squid-users mailing list