[squid-users] LDAP authentication from android and iphones

Ilias Clifton adilias3 at gmx.com
Thu May 30 22:28:10 UTC 2019


> > >> Sent: Wednesday, May 29 2019 6:42
> > >> From: Ilias Clifton
> > >>
> > >> I have Squid 3.5.27 running on Ubuntu 18.04.2, and have been unsuccesfull in being able to authenticate users via ldap (kerberos is working well)
> > >>
> > >> What else can I do for troubleshooting?
> > >>
>
> What I do is take one of the access.log lines and read through the squid.conf (whole thing) to see what squid would do with that transaction. Most 40* status problems are with http_access ordering, so quickly spotted.
>
> If you can provide those details in full im happy to do so for you. Or someone experienced with a similar config may spot the issue.
>


See squid.conf below.. Any other config files you need to see?

The users authenticating via ldap on phones are in an Active directory group listed in the file /etc/squid/full_access.txt - They do get full internet access when authenticating via kerberos.

I've checked they are entering the correct passwords - although there are special characters in the passwords eg. `^( - Not sure if that could make a difference. Like I said, it works when running basic_ldap_auth on the command line.

### cache manager
cache_mgr proxy at domain.com

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -r -s GSS_C_NO_NAME
auth_param negotiate children 10 startup=2 idle=1
auth_param negotiate keep_alive on

auth_param basic program /usr/lib/squid/basic_ldap_auth -d -R -b "DC=domain,DC=com" -D proxyuser at domain.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h dc.domain.com
auth_param basic children 10 startup=2 idle=1
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 10 minutes

external_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=com" -D proxyuser at domain.com -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy, DC=domain, DC=com))" -h dc.domain.com

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
acl BlockedAccess   external memberof "/etc/squid/blocked_access.txt"
acl StandardAccess  external memberof "/etc/squid/standard_access.txt"
acl FullAccess      external memberof "/etc/squid/full_access.txt"

acl allowedsites    dstdomain "/etc/squid/allowedsites.txt"
acl blockedsites    dstdomain "/etc/squid/blockedsites.txt"

acl macaddresses	arp "/etc/squid/macaddresses.txt"

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

# allow unauthenticated access to macaddresses in list
http_access allow macaddresses
http_access deny !auth
http_access deny BlockedAccess all

http_access allow allowedsites
http_access allow FullAccess auth

http_access deny blockedsites
http_access allow StandardAccess auth

http_access deny all

cache_mem 1024 MB
cache_dir aufs /var/spool/squid 27648 16 256

### logging
ccess_log /var/log/squid/access.log squid
err_page_stylesheet /etc/squid/errorpage.css
error_directory /etc/squid/error_pages

### squid Debian defaults
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


More information about the squid-users mailing list