Archive > 19.1 Legacy Series

SQUID + LDAP error since upgrade.

(1/3) > >>

xupetas:
Hello,

Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:

From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php

To:
auth_param basic program  /usr/local/libexec/squid/basic_pam_auth -o

What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?

It is still possible to authenticate against a ldap server with a few lines of configuration:

auth_param basic program  /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx


external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx  -h ipa.net.xpto:33389 -f
 "(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"


This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?

Can you help me please?
Thanks

franco:
Hi,

PAM should do the same as auth.php now but with less friction. LDAP is still handled in PHP code and it might be that 19.1.4 -> 19.1.7 leaves the opportunity open for breakage not related to auth.php removal in particular.

You can use "opnsense-revert -r 19.1.6 opnsense" et al to pinpoint the change. That would be helpful to know before proceeding.


Cheers,
Franco

xupetas:
Hi Franco,

The auth using basic_pam_auth does not work. And if i test the auth via the system/access/tester it works perfectly.

Why if it's working the same? Is there any log i can check the error?

Thanks
Nuno

franco:
Hi Nuno,

As I said the code is the same. It simply goes through an additional layer of authentication now which doesn't mean there couldn't be a problem with it. Question is why is there no error? Do you see LDAP queries being sent?

You can test this internally using:

# opnsense-login -s squid -u username


Cheers,
Franco

xupetas:
#  opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid

And the user exists in the LDAP, is valid and unlocked, and i see querys being send to the ldap server.
Also, if i go via webgui, on the tester section i can authenticate the user xupetas without issues.

Is there a log i can see the error form within the opnsense?

Navigation

[0] Message Index

[#] Next page

Go to full version