[squid-users] LDAP authentication from android and iphones

Amos Jeffries squid3 at treenet.co.nz
Fri May 31 05:33:43 UTC 2019


On 31/05/19 10:28 am, Ilias Clifton wrote:
>>>>> Sent: Wednesday, May 29 2019 6:42
>>>>> From: Ilias Clifton
>>>>>
>>>>> I have Squid 3.5.27 running on Ubuntu 18.04.2, and have been unsuccesfull in being able to authenticate users via ldap (kerberos is working well)
>>>>>
>>>>> What else can I do for troubleshooting?
>>>>>
>>
>> What I do is take one of the access.log lines and read through the squid.conf (whole thing) to see what squid would do with that transaction. Most 40* status problems are with http_access ordering, so quickly spotted.
>>
>> If you can provide those details in full im happy to do so for you. Or someone experienced with a similar config may spot the issue.
>>
> 
> 
> See squid.conf below.. Any other config files you need to see?
> 

This seems sufficient for config. A few possible issues are visible
already, noted below.

If fixing those does not work an access.log line will be needed to do
the troubleshooting sequence check I mentioned.


> The users authenticating via ldap on phones are in an Active directory group listed in the file /etc/squid/full_access.txt - They do get full internet access when authenticating via kerberos.
> 
> I've checked they are entering the correct passwords - although there are special characters in the passwords eg. `^( - Not sure if that could make a difference. Like I said, it works when running basic_ldap_auth on the command line.
> 
> ### cache manager
> cache_mgr proxy at domain.com
> 
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -r -s GSS_C_NO_NAME
> auth_param negotiate children 10 startup=2 idle=1
> auth_param negotiate keep_alive on
> 
> auth_param basic program /usr/lib/squid/basic_ldap_auth -d -R -b "DC=domain,DC=com" -D proxyuser at domain.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h dc.domain.com
> auth_param basic children 10 startup=2 idle=1
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 10 minutes
> 


Ah. Sorry I overlooked this mention of Kerberos existing in your initial
mail. This adds something else to check on.

HTTP auth is negotiated starting with the scheme. Clients are required
to attempt the most secure auth scheme from the servers initial 407
response. That means any client which supports Negotiate is required to
use it - no Basic for them.

One thing about Negotiate is that Kerberos keytabs can be setup on some
clients or types of client (ie all iPhones, all Android etc) in a way
that makes it not work when all others do.

Another thing is that clients can also try to use it for Negotiate/NTLM
flavour of auth. Which is not supported by your proxy.

So you do need to check a cache.log trace made with "debug_options 11,2"
to verify that the clients are actually attempting to use Basic or
Kerberos flavour of Negotiate.



> external_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=com" -D proxyuser at domain.com -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy, DC=domain, DC=com))" -h dc.domain.com
> 

I see a whitespace in the -f parameter string "OU=Proxy, DC=domain"
section. Squid-3 does not support whitespace in helper command line
parameters. So that alone may be the problem.


> ### acl for proxy auth and ldap authorizations
> acl auth proxy_auth REQUIRED
> acl BlockedAccess   external memberof "/etc/squid/blocked_access.txt"
> acl StandardAccess  external memberof "/etc/squid/standard_access.txt"
> acl FullAccess      external memberof "/etc/squid/full_access.txt"
> 
> acl allowedsites    dstdomain "/etc/squid/allowedsites.txt"
> acl blockedsites    dstdomain "/etc/squid/blockedsites.txt"
> 
> acl macaddresses	arp "/etc/squid/macaddresses.txt"
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> 

NP: current recommendation/default is to have the manager ACL test after
the localhost one, like so:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost
 http_access deny manager


> # allow unauthenticated access to macaddresses in list
> http_access allow macaddresses
> http_access deny !auth

NP: all users are guaranteed to be logged in from this point onwards. So
any use of "auth" ACL in later http_access lines and (most) other
directives should be pointless. Making those lines more suspect for
issues when troubleshooting.


> http_access deny BlockedAccess all
> 
> http_access allow allowedsites
> http_access allow FullAccess auth
> 
If you want clients to re-login whenever they fail the FullAccess group
check then just remove the auth on this line.

 ==> please be aware that the repeated 407 you report seeing is how
re-login shows up. Though best-case does only one 407 loop, there is no
limitation on how many can actually happen. Safari is known to never
stop trying the non-working credentials.


If you do not want re-logins to happen then replace "auth" with "all"


> http_access deny blockedsites
> http_access allow StandardAccess auth
> 

Same here.


> http_access deny all
> 
> cache_mem 1024 MB
> cache_dir aufs /var/spool/squid 27648 16 256
> 
> ### logging
> ccess_log /var/log/squid/access.log squid
> err_page_stylesheet /etc/squid/errorpage.css
> error_directory /etc/squid/error_pages
> 
> ### squid Debian defaults
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 



Amos


More information about the squid-users mailing list