OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: mwerth on March 04, 2020, 09:29:51 am
-
Hello,
we've installed an OPNsense 20.1.1 system and want to configure the Squid proxy with ldap authentication.
At the web ui, we configured the LDAP server for authentication. The setup is correct because we could see successful bind requests at the ldap server log.
Squid logs an error in /var/log/squid/cache.log:
... kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
... kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
This is our proxy auth module configuration at the system:
# grep -r auth_ /usr/local/etc/squid/|grep -v '#'
/usr/local/etc/squid/squid.conf:auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
/usr/local/etc/squid/squid.conf:auth_param basic realm OPNsense proxy authentication
/usr/local/etc/squid/squid.conf:auth_param basic credentialsttl 2 hours
/usr/local/etc/squid/squid.conf:auth_param basic children 5
But the proxy auth module sends an additional line.
# echo 'martin VerySecurePassword'|/usr/local/libexec/squid/basic_pam_auth -o
{"dn":"uid=martin,ou=People,dc=lwsystems,dc=intern"}
OK
The line starting with {"dn":"... causing the error.
UGLY WORKAROUND
We moved the file basic_pam_auth to basic_pam_auth_ORG and created a wrapper script.
Content of wrapper script:
#!/usr/local/bin/perl
#
#
$|=1; # no buffering on STDOUT
while (<STDIN>) {
open AUTH, '|/usr/local/libexec/squid/basic_pam_auth_ORG | grep -v "dn"';
print AUTH $_;
close AUTH;
}
mv basic_pam_auth basic_pam_auth_ORG
vi basic_pam_auth
chmod 0755 basic_pam_auth
Edit: Workaround added.
Regards,
Martin
-
Hi Martin,
Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?
Installable with the following command:
opnsense-patch 41cf191
It's a side affect of something we need in the future to pass data to OpenVPN, but we seemed to have missed that squid pam just passes the output.
Best regards,
Ad
-
Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?
Thanks, works perfectly! :-)
Regards,
Martin