OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: xupetas on May 22, 2019, 10:13:46 am
-
Hello,
Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:
From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
To:
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?
It is still possible to authenticate against a ldap server with a few lines of configuration:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx
external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx -h ipa.net.xpto:33389 -f
"(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"
This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?
Can you help me please?
Thanks
-
Hi,
PAM should do the same as auth.php now but with less friction. LDAP is still handled in PHP code and it might be that 19.1.4 -> 19.1.7 leaves the opportunity open for breakage not related to auth.php removal in particular.
You can use "opnsense-revert -r 19.1.6 opnsense" et al to pinpoint the change. That would be helpful to know before proceeding.
Cheers,
Franco
-
Hi Franco,
The auth using basic_pam_auth does not work. And if i test the auth via the system/access/tester it works perfectly.
Why if it's working the same? Is there any log i can check the error?
Thanks
Nuno
-
Hi Nuno,
As I said the code is the same. It simply goes through an additional layer of authentication now which doesn't mean there couldn't be a problem with it. Question is why is there no error? Do you see LDAP queries being sent?
You can test this internally using:
# opnsense-login -s squid -u username
Cheers,
Franco
-
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
And the user exists in the LDAP, is valid and unlocked, and i see querys being send to the ldap server.
Also, if i go via webgui, on the tester section i can authenticate the user xupetas without issues.
Is there a log i can see the error form within the opnsense?
-
Is there nothing in the system log regarding this?
# clog /var/log/system.log
I'm not sure how to reproduce... might need SSH access to the box temporarily if you are willing.
Cheers,
Franco
-
Hello Franco,
clog /var/log/system.log
(empty)
There is something wrong in the squid auth module:
May 24 08:38:48 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\Local
May 24 08:38:48 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 08:39:13 vparfw01 opnsense-login: in prompt_tty(): caught signal 2
May 24 08:39:25 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
In the logs, i've tried to login with the same credentials on my ipsec vpn and my squid. Please note the diference on the log:
On SQUID: OPNsense\Auth\Local
On IPSEC: OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP
The second goes to try ldap. The pam one, stays put on the local users and does not go to ldap.
Does this help?
If not i will try to setup a dummy null-routed opnsense with some of my config so you can access it and see whats wrong.
Xupetas
-
Well, it looks like LDAP wasn't configured for Squid?
It also like the user-proxy-auth privilege is missing here for the user, which should have been there already?
Cheers,
Franco
-
"Well, it looks like LDAP wasn't configured for Squid"
My bad. I've had it disabled when i sent the logs, so it would not mess the auth done by the basic_ldap_auth method.
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s ipsec -u xupetas
Password:
User xupetas successfully authenticated for service ipsec
With the method enabled in squid, i am getting:
May 24 11:33:26 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:33:26 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:19 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:35:19 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:26 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
Thanks for your help. Any insight?
-
Ok, so far so good. The user "xupetas" is actually required to be imported from LDAP and given the privilege "Proxy: Login" for the proxy authentication to succeed. That is how it has always been, but maybe LDAP did not enforce it properly. Not sure, but it should work once that is in place and then we can figure out why it didn't work before maybe.
Cheers,
Franco
-
Now you lost me.
Proxy: Login - "imported from LDAP and given the privilege "Proxy: Login"
How can i import an user form ldap into the opnsense users?
The webgui always asks me for a password as i was creating a local user. That kind of defeats the purpose of centralized user authentication, and the need for a specific privilege inside the opnsense - and not being a part of an ldap group - also defeats the plus of permissions being imported form a centralized user authentication service.
This is already being done by the ipsec auth modules, i can make a user auth and connect, not having need of any special permissions, with everything login related being controlled by the LDAP directory service.
Is this possible?
Many Thanks!!
-
Hi Nuno,
Looks like this proxy auth always had a little quirk. This should help although it's not 100% what it did before:
https://github.com/opnsense/core/commit/450ff5b5
# opnsense-patch 450ff5b5
Since the code will work like IPsec in 19.7 (that was already the plan, see below) I think we can do this shortcut and prevent multiple migrations. Thanks for spotting this. :)
https://github.com/opnsense/core/issues/3250
Cheers,
Franco
-
Thank you. As soon as my users let me i will take the proxy offline and test.