Hello,
we've installed an OPNsense 20.1.1 system and want to configure the Squid proxy with ldap authentication.
At the web ui, we configured the LDAP server for authentication. The setup is correct because we could see successful bind requests at the ldap server log.
Squid logs an error in /var/log/squid/cache.log:
Quote... kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
... kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
This is our proxy auth module configuration at the system:
Quote# grep -r auth_ /usr/local/etc/squid/|grep -v '#'
/usr/local/etc/squid/squid.conf:auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
/usr/local/etc/squid/squid.conf:auth_param basic realm OPNsense proxy authentication
/usr/local/etc/squid/squid.conf:auth_param basic credentialsttl 2 hours
/usr/local/etc/squid/squid.conf:auth_param basic children 5
But the proxy auth module sends an additional line.
Quote# echo 'martin VerySecurePassword'|/usr/local/libexec/squid/basic_pam_auth -o
{"dn":"uid=martin,ou=People,dc=lwsystems,dc=intern"}
OK
The line starting with {"dn":"... causing the error.
UGLY WORKAROUNDWe moved the file basic_pam_auth to basic_pam_auth_ORG and created a wrapper script.
Content of wrapper script:
Quote
#!/usr/local/bin/perl
#
#
$|=1; # no buffering on STDOUT
while (<STDIN>) {
open AUTH, '|/usr/local/libexec/squid/basic_pam_auth_ORG | grep -v "dn"';
print AUTH $_;
close AUTH;
}
Quotemv basic_pam_auth basic_pam_auth_ORG
vi basic_pam_auth
chmod 0755 basic_pam_auth
Edit: Workaround added.
Regards,
Martin
Quote from: AdSchellevis on March 04, 2020, 11:47:40 AM
Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?
Thanks, works perfectly! :-)
Regards,
Martin