Archive > 19.1 Legacy Series
SQUID + LDAP error since upgrade.
xupetas:
Hello,
Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:
From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
To:
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?
It is still possible to authenticate against a ldap server with a few lines of configuration:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx
external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx -h ipa.net.xpto:33389 -f
"(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"
This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?
Can you help me please?
Thanks
franco:
Hi,
PAM should do the same as auth.php now but with less friction. LDAP is still handled in PHP code and it might be that 19.1.4 -> 19.1.7 leaves the opportunity open for breakage not related to auth.php removal in particular.
You can use "opnsense-revert -r 19.1.6 opnsense" et al to pinpoint the change. That would be helpful to know before proceeding.
Cheers,
Franco
xupetas:
Hi Franco,
The auth using basic_pam_auth does not work. And if i test the auth via the system/access/tester it works perfectly.
Why if it's working the same? Is there any log i can check the error?
Thanks
Nuno
franco:
Hi Nuno,
As I said the code is the same. It simply goes through an additional layer of authentication now which doesn't mean there couldn't be a problem with it. Question is why is there no error? Do you see LDAP queries being sent?
You can test this internally using:
# opnsense-login -s squid -u username
Cheers,
Franco
xupetas:
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
And the user exists in the LDAP, is valid and unlocked, and i see querys being send to the ldap server.
Also, if i go via webgui, on the tester section i can authenticate the user xupetas without issues.
Is there a log i can see the error form within the opnsense?
Navigation
[0] Message Index
[#] Next page
Go to full version