OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: mwerth on March 04, 2020, 09:29:51 am

Title: Squid basic_pam_auth module issue
Post by: mwerth on March 04, 2020, 09:29:51 am

Hello,

we've installed an OPNsense 20.1.1 system and want to configure the Squid proxy with ldap authentication.
At the web ui, we configured the LDAP server for authentication. The setup is correct because we could see successful bind requests at the ldap server log.

Squid logs an error in /var/log/squid/cache.log:

Quote

...  kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
...  kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'

This is our proxy auth module configuration at the system:

Quote

# grep -r auth_ /usr/local/etc/squid/|grep -v '#'
/usr/local/etc/squid/squid.conf:auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
/usr/local/etc/squid/squid.conf:auth_param basic realm OPNsense proxy authentication
/usr/local/etc/squid/squid.conf:auth_param basic credentialsttl 2 hours
/usr/local/etc/squid/squid.conf:auth_param basic children 5

But the proxy auth module sends an additional line.

Quote

# echo 'martin VerySecurePassword'|/usr/local/libexec/squid/basic_pam_auth -o
{"dn":"uid=martin,ou=People,dc=lwsystems,dc=intern"}
OK

The line starting with {"dn":"... causing the error.

UGLY WORKAROUND

We moved the file basic_pam_auth to basic_pam_auth_ORG and created a wrapper script.

Content of wrapper script:

Quote

#!/usr/local/bin/perl
#
#
$|=1;  # no buffering on STDOUT
 
while (<STDIN>) {
  open AUTH, '|/usr/local/libexec/squid/basic_pam_auth_ORG | grep -v "dn"';
  print AUTH $_;
  close AUTH;
}

Quote

mv  basic_pam_auth basic_pam_auth_ORG
vi basic_pam_auth
chmod 0755 basic_pam_auth

Edit: Workaround added.

Regards,
Martin

Title: Re: Squid basic_pam_auth module issue
Post by: AdSchellevis on March 04, 2020, 11:47:40 am

Hi Martin,

Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?

Installable with the following command:

Code: [Select]

opnsense-patch 41cf191

It's a side affect of something we need in the future to pass data to OpenVPN, but we seemed to have missed that squid pam just passes the output.

Best regards,

Ad

Title: Re: Squid basic_pam_auth module issue
Post by: mwerth on March 04, 2020, 11:53:42 am

Quote from: AdSchellevis on March 04, 2020, 11:47:40 am

Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?

Thanks, works perfectly! :-)

Regards,
Martin