Squid basic_pam_auth module issue

Started by mwerth, March 04, 2020, 09:29:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 04, 2020, 09:29:51 AM Last Edit: March 04, 2020, 10:57:45 AM by mwerth
Hello,

we've installed an OPNsense 20.1.1 system and want to configure the Squid proxy with ldap authentication.
At the web ui, we configured the LDAP server for authentication. The setup is correct because we could see successful bind requests at the ldap server log.

Squid logs an error in /var/log/squid/cache.log:

Quote...  kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
...  kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr1, 4 bytes 'OK
'
This is our proxy auth module configuration at the system:

Quote# grep -r auth_ /usr/local/etc/squid/|grep -v '#'
/usr/local/etc/squid/squid.conf:auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
/usr/local/etc/squid/squid.conf:auth_param basic realm OPNsense proxy authentication
/usr/local/etc/squid/squid.conf:auth_param basic credentialsttl 2 hours
/usr/local/etc/squid/squid.conf:auth_param basic children 5
But the proxy auth module sends an additional line.

Quote# echo 'martin VerySecurePassword'|/usr/local/libexec/squid/basic_pam_auth -o
{"dn":"uid=martin,ou=People,dc=lwsystems,dc=intern"}
OK

The line starting with {"dn":"... causing the error.

UGLY WORKAROUND

We moved the file basic_pam_auth to basic_pam_auth_ORG and created a wrapper script.

Content of wrapper script:
Quote
#!/usr/local/bin/perl
#
#
$|=1;  # no buffering on STDOUT

while (<STDIN>) {
  open AUTH, '|/usr/local/libexec/squid/basic_pam_auth_ORG | grep -v "dn"';
  print AUTH $_;
  close AUTH;
}

Quotemv  basic_pam_auth basic_pam_auth_ORG
vi basic_pam_auth
chmod 0755 basic_pam_auth

Edit: Workaround added.

Regards,
Martin
March 04, 2020, 11:47:40 AM #1
Hi Martin,

Can you try https://github.com/opnsense/core/commit/41cf191205cf627f1820bf43c745e324aa04005e ?

Installable with the following command:
Code Select

opnsense-patch 41cf191


It's a side affect of something we need in the future to pass data to OpenVPN, but we seemed to have missed that squid pam just passes the output.

Best regards,

Ad
March 04, 2020, 11:53:42 AM #2
Print
Go Up Pages1
User actions