[SOLVED] Proxy LDAP auth issue

[cdburgess75]

I am having an issue getting squid to accept the credentials for AD users.  All my diagnostics are good with built in tools for opnsense.  LDAP connection is working fine.  But when I try to login I get an: squid: user 'dave' could not authenticate in the logs.  I see this in auth.inc and was wondering if maybe it is still work in progress:
---
function authenticate_user($username, $password, $authcfg = NULL) {

   if (empty($authcfg)) {
      $authName = 'Local Database';
   } else {
      $authName = $authcfg['name'];
      if ($authcfg['type'] == 'local') {
         // avoid gettext type issues on Local Database, authenticator should always be named "Local Database"
         $authName = 'Local Database';
      } elseif ($authcfg['type'] == 'ldap') {
         // temporary fix, ldap handler doesn't do this init yet.
         ldap_setup_caenv($authcfg);
      }

[franco]

The code is not a work in progress. When did you start working with squid/AD auth? 15.7.18 switched the authentication backend, but maybe there is a regression in conjunction with squid. Will report back soon.

[cdburgess75]

Awesome job by the way.  I love the firewall.  To answer you, I started trying to get this working (LDAP proxy auth) a few days ago.  I was able to import all the users and see all the container.  Ding checks out fine.  This appliance was upgraded from 15.7.1 to 15.7.20 prior to the attempt.  So we have the latest version now.  If there is anything I can do to help ket me know.   

[AdSchellevis]

The proxy auth plugin only functions for the primary authentication option at the moment and tries to locate a local user role "user-proxy-auth" before doing the actual authentication (in src/etc/inc/squid.auth-user.php).

I think we should revise this a bit, it's probably better to make the authentication option selectable in the user interface and only use the local role for users in the local database.

We're using a similar option for the new captive portal already, let me try to squeeze this feature in here as well (somewhere this week).

[AdSchellevis]

I just added our new pluggable authentication system to the squid auth plugin and changed the user interface to support the selection.
When installed, you can add one or multiple authentication servers to be used with the proxy.

This commit contains the new feature: https://github.com/opnsense/core/commit/58ab1e61e3a50c8e3ed7033c69d1d20d9754aa96


The new feature is backwards compatible, so I think we will add it to the next release.

[cdburgess75]

I will test this out tonight and reply. Thank you very much.

[cdburgess75]

I edit the 3 files and restarted squid,  but did not have good results.  The problem I am having now is complete opposite.  Before I could not authenticate,  now the authentication pop up in the browser is not launching (as if maybe set to none or no authentication).  But I have both local database and the LDAP connection selected in the new gui interface.  Processes are running fine, my http request are logged fine as well.  However,  the syslog shows no attempt at authentication like before.  Hmmm

[AdSchellevis]

sorry about that, forgot to change the template to accept the different setting...
This commit should fix the issue: https://github.com/opnsense/core/commit/e34dd6a60b291627e8cabc090924d5f2ce37b6b7


It worked when nothing was changed (only local), but as soon as you started using the feature it didn't match any more

[franco]

Both changes are on opnsense-devel 15.7.99_1623 (15.7.21 development) so they can be easily tested.

https://forum.opnsense.org/index.php?topic=917.0

[cdburgess75]

thank you so much.  I will check this out in 2 days and report back.

[cdburgess75]

I went ahead and started with a fresh copy of OPNsense 15.7.22-amd64.  I configured LDAP successfully and diag tested out fine.  All the same steps as before.  Enabling squid, etc.  However,  I cannot get a popup asking for me to authenticate.  All traffic is passing through squid according to the logs.  Also,  It allows normal traffic without the proxy.  Not sure whats going on,  is there anything I can help with?

[AdSchellevis]

Can you check if the auth application is inserted into your config?

in /usr/local/etc/squid/squid.conf

there should be a blob of data like this:

Code: [Select]

auth_param basic program /usr/local/etc/inc/squid.auth-user.php
auth_param basic realm OPNsense proxy authentication
auth_param basic credentialsttl 2 hours
auth_param basic children 5
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED

If it is, do you have any access control lists defined.

[cdburgess75]

Yes,  I checked: the auth app is inserted like that word for word.  Also,  I have not defined any ACL's yet.

[AdSchellevis]

Oops, missed a line in my previous commit:
https://github.com/opnsense/core/commit/e96aa187c869b5d756d5a659f63734fee4dc7799

When authentication other then local is selected, it didn't link the acl. sorry about that.

[cdburgess75]

ok,  I tried it again.  We are still not able to auth to the confirmed ldap connection.  We see in the logs that it is trying:
Dec 18 23:04:21   squid: user 'dave' could not authenticate.
Dec 18 23:04:21   squid: user 'dave' could not authenticate.
Dec 18 23:04:11   squid: user 'test' could not authenticate.
Dec 18 23:04:11   squid: user 'test' could not authenticate.

It seems to only work on the local db.  The AD LDAP connection is working and allows us to add users.  I also gave the permission "proxy login" to a group and added them to that in the users section.