[squid-users] LDAP search filter for FreeIPA

Djerk Geurts djerkg at gmail.com
Thu Oct 6 09:28:22 UTC 2022 

> On 6 Oct 2022, at 03:40, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 6/10/22 02:29, Djerk Geurts wrote:
>> Hi,
>> I’ve got DLAP auth working against FreeIPA, but now I’m trying to get LDAP group all controls working. Initially I used the local unix group filter, which works great as the machine running Squid is able to query group membership through pam. But then I found that nested group membership didn’t work. So now I’m trying to query group membership via LDAP and failing miserably.
>> My config:
>> auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636 <ldaps://ipa.domain.com:636>
>> […]
> 
> To clarify, does the above description mean login with this helper works fine?

Yes, normal logins work fine if I don’t use the group filtering in http_access

> >   -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" \
> >   -f "(&(cn=%g)(member=uid=%u))" \
> > ...
> 
> You can add '-d' (lower case) to get a debug trace in cache.log about what is happening inside the helper.

Thank you, I’d seen the flag just not where the logs would end up and of course checked all but cache.log…

> You can use that to confirm the user/group details are arriving properly and the filter string is correct before it goes sent to LDAP.
> 
> Also, see whether LDAP is having connectivity issues, or search issues, or something else is going on.
> 
> FWIW, the above reads to me like you are looking up the existence of the group rather than the existence of a specific user within a group. My LDAP knowledge is weak, so I may be wrong about that.

Yeah, I’ve been wondering this too and my LDAP knowledge is quite poor. And it turns out that you're absolutely right.

> 
>> This ldap search works fine:
>> user at ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'
> 
> I notice that there is an extra ',*' after the username in this filter string which is missing on the helper one.

The ldapsearch works fine with and without it. The ,* is meant to match the rest of the DN but I think isn’t needed. I could be very wrong though. In hind sight, comparing the search results I now see that my first query returns a list of group members, but the correct query returns all user details if the user is a member of the given group.

> 
>> So how am I meant to set the filter of ext_ldap_group_acl?
> 
> FYI, what the Squid helpers do is replace the %g and %u values and pass the resulting string as the 'filter' to LDAP.
> 
> Meaning that the filter used by Squid should be the same as the ldapsearch filter would be if you were searching for username "%u" in group "%g".

Thank you! This plus a little more Googling has yielded the following search string and ldap_group config which works (even for nested groups):

## IPA groups via LDAP
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -d \
  -b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" \
  -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" \
  -W "/etc/squid/squid-ldap.cred" \
  -f "(&(objectclass=person)(uid=%u)(memberOf=cn=%g,cn=groups,cn=accounts,dc=DOMAIN,dc=COM))" \
  -H LDAPS://ipa.domain.com:636

I also found that the credentials file I’m using had the wrong permissions. It hadn’t shown up earlier as anonymous bind was enabled previously. Interesting that logging when using `-d` on the auth plugins only gets put into cache.log and not the Journal.

-- 
Thank you,
Djerk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221006/a80833a2/attachment-0001.htm>

More information about the squid-users mailing list