Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1814
  • Last Modified:

Problem getting squid_ldap_auth to work in squid

I am trying to implement the authentification of users in squid via AD but somehow it doesn't work, however if I try the command on the command line it works flawlessly.

On command line:
/usr/sbin/squid_ldap_auth -P -R -b "dc=domain,dc=com" -D "cn=AdminUser,ou=Users,dc=domain,dc=com" -w 'Passw' -f sAMAccountName=%s -h "ADServer" -p 3268
AdminUser Passw
OK
AdminUser WrongPassw
ERR Invalid credentials

I get the login and password prompt in Firefox/IE when I start them, I then enter my user (AdminUser) and password (Passw) in it, I immediately get the same login/password box over and over again when I click on OK.
To test if the squid config was fine I modified the line "http_access allow proxyauth" to "http_access allow noproxyauth", after this modification I can surf the web without probs.

In squid I have following config:
....
auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b "dc=domain,dc=com" -D "cn=AdminUser,ou=Users,dc=domain,dc=com" -w 'Passw' -f sAMAccountName=%s -h "ADServer" -p 3268
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 5 minutes

acl proxyauth proxy_auth REQUIRED
acl noproxyauth src 10.0.0.0/255.0.0.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow proxyauth

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny all
icp_access deny all
htcp_access deny all
0
LBKwindowssystems2009
Asked:
LBKwindowssystems2009
  • 2
  • 2
1 Solution
 
arnoldCommented:
Do you have SELinux enabled? sestatus ? If it is disable selinux and see if you have a different behavior. You may need to use the audit2allow to build the rules for selinux to allow squid to run the helper applications.

Check the /var/log/messages for errors? Check the squid error log for errors? Check the /var/log/audit/audit.log
Any reason you did not go with the winbind/samba/ntlm option?
0
 
LBKwindowssystems2009Author Commented:
We don't have SELinux enabled on the server.

The squid log shows when I try (every entry of my login and pass gives a new line):
1262852804.567     17 10.4.251.102 TCP_DENIED/407 1770 GET http://www.google.com/ AdminUser NONE/- text/html
The audit log stays clean.

The authentication processes seem to have started correctly:
ps -ef  | grep squid
root     21274     1  0 Jan06 ?        00:00:00 /usr/sbin/squid -d9 -sYD -f /etc/squid/squid.conf
squid    21276 21274  0 Jan06 ?        00:00:04 (squid) -d9 -sYD -f /etc/squid/squid.conf
squid    21282 21276  0 Jan06 ?        00:00:00 (unlinkd)
squid    22239 21276  0 Jan06 ?        00:00:00 (squid_ldap_auth) -P -R -b dc=domain,dc=com -D cn=AdminUser,ou=Users,dc=domain,dc=com -w 'Passw' -f sAMAccountName=%s -h ADServer -p 3268
squid    22240 21276  0 Jan06 ?        00:00:00 (squid_ldap_auth) -P -R -b dc=domain,dc=com -D cn=AdminUser,ou=Users,dc=domain,dc=com -w 'Passw' -f sAMAccountName=%s -h ADServer -p 3268
squid    22241 21276  0 Jan06 ?        00:00:00 (squid_ldap_auth) -P -R -b dc=domain,dc=com -D cn=AdminUser,ou=Users,dc=domain,dc=com -w 'Passw' -f sAMAccountName=%s -h ADServer -p 3268
squid    22242 21276  0 Jan06 ?        00:00:00 (squid_ldap_auth) -P -R -b dc=domain,dc=com -D cn=AdminUser,ou=Users,dc=domain,dc=com -w 'Passw' -f sAMAccountName=%s -h ADServer -p 3268
squid    22243 21276  0 Jan06 ?        00:00:00 (squid_ldap_auth) -P -R -b dc=domain,dc=com -D cn=AdminUser,ou=Users,dc=domain,dc=com -w 'Passw' -f sAMAccountName=%s -h ADServer -p 3268

and the authentification is working with the squid user if i do on the command line:
sudo -u squid /usr/sbin/squid_ldap_auth -P -R -b "dc=domain,dc=com" -D "cn=AdminUser,ou=Users,dc=domain,dc=com" -w 'Passw' -f sAMAccountName=%s -h "ADServer" -p 3268
AdminUser Passw
OK

Some more info that could be usefull:
rpm -qa | grep squid
squid-2.6.STABLE14-23
cat /etc/*release
openSUSE 10.3 (i586)
VERSION = 10.3

Thanks in advance for your help
0
 
arnoldCommented:
can you try providing the credentials in the browser as domain\username and see if you see a difference?

What is running on the system is less important than the entry in the squid or the auth log.  Check the AD to see what requests it is seeing.  i.e. the request that makes it to the LDAP server might be something else i.e. a variable instead of the actual username is being passed etc.
0
 
LBKwindowssystems2009Author Commented:
I managed to pinpoint the issue, there was a nonprintable char in the config file on the squid_ldap_auth line, when I removed this char and restarted squid, all is working nicely

Thanks for the help!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now