Discussion:
[squid-users] Problems with ldap authentication
Marcio Demetrio Bacci
2015-12-07 18:47:57 UTC
Permalink
My LDAP Authentication do not work in Squid. I have already saw many
tutorials, but nothing solve this problem.
I have installed Squid 3.4 on Debian 8. My DC is a* Samba 4.2.*
In /var/log/squid3/cache.log appear the message:
*squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'*

Follows my squid.conf


http_port 3128
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
quick_abort_min -1 KB
detect_broken_pconn on
fqdncache_size 1024
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_dir aufs /var/spool/squid3 600 16 256

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
“dc=empresa,dc=com,dc=br” -D “cn=Administrator,dc=empresa,dc=com,dc=br” -w
"1234" -f sAMAccountName=%s -h 192.168.0.25
auth_param basic children 50
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute

visible_hostname proxy.empresa.com.br
acl localhost src 192.168.0.54/32
acl SSL_ports port 22 443 563
acl Safe_ports port 80 8080
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
acl users proxy_auth REQUIRED
http_access allow users
acl lan src 192.168.0.0/22
http_access allow lan
http_access deny all
error_directory /usr/share/squid3/errors/en
coredump_dir /var/spool/squid3

Márcio
Amos Jeffries
2015-12-08 00:10:58 UTC
Permalink
Post by Marcio Demetrio Bacci
My LDAP Authentication do not work in Squid. I have already saw many
tutorials, but nothing solve this problem.
I have installed Squid 3.4 on Debian 8. My DC is a* Samba 4.2.*
*squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'*
That is your Squid helper being unable to access the LDAP server at
192.168.0.25. The credentials you have configured it to use to access
the LDAP (-D -w) are not working.


Also, squid_ldap_auth is not part of the Squid-3.4 package on Debian.
That might be part of the problem. Squid-3.4 provides basic_ldap_auth.

Amos
Marcio Demetrio Bacci
2015-12-08 03:00:01 UTC
Permalink
I have changed my authentication block as below, but is not working.

The proxy user is a Read Only Domain Controller member. The password is
correct.

Samba4, krb5-user and winbindd are installed and work perfectly. Do I need
install any other package?

How can I test in command line?

Have anything wrong in my authentication block ?

auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
cn=users,dc=empresa,dc=com,dc=br -D
cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 -h 192.168.0.25 -p
389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Proxy Server Squid
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

With the command "ldbsearch -H /opt/samba/private/sam.ldb
'(objectclass=user)' uidNumber gidNumber ", my result is:
# record 881
dn: CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
uidNumber: 10558
gidNumber: 30037

Regards,

Márcio
Post by Marcio Demetrio Bacci
Post by Marcio Demetrio Bacci
My LDAP Authentication do not work in Squid. I have already saw many
tutorials, but nothing solve this problem.
I have installed Squid 3.4 on Debian 8. My DC is a* Samba 4.2.*
*squid_ldap_auth: WARNING, could not bind to binddn 'Invalid
credentials'*
That is your Squid helper being unable to access the LDAP server at
192.168.0.25. The credentials you have configured it to use to access
the LDAP (-D -w) are not working.
Also, squid_ldap_auth is not part of the Squid-3.4 package on Debian.
That might be part of the problem. Squid-3.4 provides basic_ldap_auth.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2015-12-08 08:23:38 UTC
Permalink
Post by Marcio Demetrio Bacci
I have changed my authentication block as below, but is not working.
The proxy user is a Read Only Domain Controller member. The password is
correct.
Samba4, krb5-user and winbindd are installed and work perfectly. Do I need
install any other package?
What authentication system do you think you are using? Basic or
Kerberos? because you configured Basic.
Post by Marcio Demetrio Bacci
How can I test in command line?
Everthign in squid.conf after the "auth_param basic program " is the
command line for the helper.
* Run that command line:
/usr/lib/squid3/basic_ldap_auth \
-b cn=users,dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"

* If nothing happens and it just waits for input, it has started properly.

* Enter two words on each line, username and password for a user account
which might be using Squid. Try both valid and invalid combos.

* The helper will reply OK (valid) or ERR (invalid) if it has been a
successful check. BH if there was a failure.
Post by Marcio Demetrio Bacci
Have anything wrong in my authentication block ?
auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
cn=users,dc=empresa,dc=com,dc=br -D
cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 -h 192.168.0.25 -p
389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Proxy Server Squid
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Nothing particularly visible to me. But that said I'm not a regular user
of LDAP, so there could be something subtle hiding in the LDAP query
strings or ither parameters that deos not match what your LDAP service
needs.
Post by Marcio Demetrio Bacci
With the command "ldbsearch -H /opt/samba/private/sam.ldb
# record 881
dn: CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
uidNumber: 10558
gidNumber: 30037
The U on Users is upper case in this test. It is lower case in your
config file.

The DC/dc CN/cn values are also different case. That might matter to
your LDAP system.

If either of those turn out to be the problem, then you will need to fix
the -b parameter as well.


Amos
Marcio Demetrio Bacci
2015-12-08 17:14:45 UTC
Permalink
Hi

In the Squid Server, I want only basic authentication.

The command:

/usr/lib/squid3/basic_ldap_auth \
-b cn=users,dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"

shows "Success" to authenticate only the users in Organization Unity (OU)
"Users", but in my domain I have many OU that has users as TI, Financial,
Sales..

How I get authenticate the users in others OU?

Thanks,

Márcio
Post by Amos Jeffries
Post by Marcio Demetrio Bacci
I have changed my authentication block as below, but is not working.
The proxy user is a Read Only Domain Controller member. The password is
correct.
Samba4, krb5-user and winbindd are installed and work perfectly. Do I
need
Post by Marcio Demetrio Bacci
install any other package?
What authentication system do you think you are using? Basic or
Kerberos? because you configured Basic.
Post by Marcio Demetrio Bacci
How can I test in command line?
Everthign in squid.conf after the "auth_param basic program " is the
command line for the helper.
/usr/lib/squid3/basic_ldap_auth \
-b cn=users,dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
* If nothing happens and it just waits for input, it has started properly.
* Enter two words on each line, username and password for a user account
which might be using Squid. Try both valid and invalid combos.
* The helper will reply OK (valid) or ERR (invalid) if it has been a
successful check. BH if there was a failure.
Post by Marcio Demetrio Bacci
Have anything wrong in my authentication block ?
auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
cn=users,dc=empresa,dc=com,dc=br -D
cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 -h 192.168.0.25
-p
Post by Marcio Demetrio Bacci
389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Proxy Server Squid
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Nothing particularly visible to me. But that said I'm not a regular user
of LDAP, so there could be something subtle hiding in the LDAP query
strings or ither parameters that deos not match what your LDAP service
needs.
Post by Marcio Demetrio Bacci
With the command "ldbsearch -H /opt/samba/private/sam.ldb
# record 881
dn: CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
uidNumber: 10558
gidNumber: 30037
The U on Users is upper case in this test. It is lower case in your
config file.
The DC/dc CN/cn values are also different case. That might matter to
your LDAP system.
If either of those turn out to be the problem, then you will need to fix
the -b parameter as well.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Kinkie
2015-12-08 18:16:54 UTC
Permalink
On Tue, Dec 8, 2015 at 6:14 PM, Marcio Demetrio Bacci
Post by Marcio Demetrio Bacci
Hi
In the Squid Server, I want only basic authentication.
/usr/lib/squid3/basic_ldap_auth \
-b cn=users,dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
shows "Success" to authenticate only the users in Organization Unity (OU)
"Users", but in my domain I have many OU that has users as TI, Financial,
Sales..
How I get authenticate the users in others OU?
Since you are using "sub" as search scope, you simply have to move up
one level in the base-DN tree.
Change the parameter
-b cn=users,dc=empresa,dc=com,dc=br
to
-b dc=empresa,dc=com,dc=br

Francesco Chemolli
Marcio Demetrio Bacci
2015-12-08 23:57:38 UTC
Permalink
Hi,

I changed the parameter, but I received the following error:

basic_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success

The command line used:

/usr/lib/squid3/basic_ldap_auth \
-b dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"

My Samba4 Structure is:

empresa.com.br
Users
Computers
Builtin
Domain Controllers
ForeignSecurityPrincipals
EMPRESA
IT
Users
Sales
Users
...
Post by Kinkie
On Tue, Dec 8, 2015 at 6:14 PM, Marcio Demetrio Bacci
Post by Marcio Demetrio Bacci
Hi
In the Squid Server, I want only basic authentication.
/usr/lib/squid3/basic_ldap_auth \
-b cn=users,dc=empresa,dc=com,dc=br \
-D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
-h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
shows "Success" to authenticate only the users in Organization Unity
(OU)
Post by Marcio Demetrio Bacci
"Users", but in my domain I have many OU that has users as TI, Financial,
Sales..
How I get authenticate the users in others OU?
Since you are using "sub" as search scope, you simply have to move up
one level in the base-DN tree.
Change the parameter
-b cn=users,dc=empresa,dc=com,dc=br
to
-b dc=empresa,dc=com,dc=br
Francesco Chemolli
Continue reading on narkive:
Loading...