Page MenuHomePhabricator

Webproxy with ldap authentication don't start
Closed, ResolvedPublicBUG

Description

set service webproxy authentication children '5'
set service webproxy authentication credentials-ttl '60'
set service webproxy authentication ldap base-dn 'DC=rgtest,DC=local'
set service webproxy authentication ldap bind-dn 'CN=administrator,OU=Users,DC=rgtest,DC=local'
set service webproxy authentication ldap password 'xxxxx
set service webproxy authentication ldap port '389'
set service webproxy authentication ldap server '192.168.188.201'
set service webproxy authentication ldap use-ssl
set service webproxy authentication ldap username-attribute 'cn'
set service webproxy authentication ldap version '3'
set service webproxy authentication method 'ldap'
set service webproxy authentication realm 'VyOS Webproxy'
set service webproxy cache-size '100'
set service webproxy default-port '3128'
set service webproxy listen-address 192.168.188.103 disable-transparent
vyos@vyos# commit
[ service webproxy ]
Restarting squid3 (via systemctl): squid3.service
Job for squid3.service failed. See 'systemctl status squid3.service' and 'journalctl -xn' for details.
 failed!

journalctl:

May 06 21:11:10 vyos squid3[2245]: FATAL ERROR: auth_param basic program /usr/lib/squid3/squid_ldap_auth: (2) No such file or directory ... failed!

manually change to /usr/lib/squid3/basic_ldap_auth in /etc/squid3/squid.conf and

vyos@vyos:$ restart webproxy
[ ok ] Restarting squid3 (via systemctl): squid3.service.

i don't know if basic_ldap_auth is the correct file, there are others with ldap, i just tryed it first.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.1
Why the issue appeared?
Issues in third-party code

Event Timeline

rob created this task.May 6 2019, 9:26 PM
rob updated the task description. (Show Details)
c-po added a subscriber: c-po.May 7 2019, 3:57 PM

Does it work as expected?

rob added a comment.May 7 2019, 4:30 PM

yesterday i give up with it, i will try it again later and report it here.

c-po added a comment.May 7 2019, 4:43 PM

Once you verify if the module works I‘m happy to fix it.

c-po claimed this task.May 7 2019, 4:44 PM
c-po added a project: VyOS 1.3 Equuleus.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
rob added a comment.May 7 2019, 6:29 PM

this config worked as expected with Microsoft AD.

vyos@vyos# show service webproxy
 authentication {
     children 5
     credentials-ttl 60
     ldap {
         base-dn DC=rgtest,DC=local
         bind-dn CN=proxyuser,CN=Users,DC=rgtest,DC=local
         filter-expression (cn=%s)
         password Qwert1234
         server 192.168.188.201
         username-attribute cn
     }
     method ldap
     realm "VyOS Webproxy"
 }
 cache-size 100
 default-port 3128
 listen-address 192.168.188.103 {
     disable-transparent
 }

The next thing is, the whitelist (dst and src) feature don't work either. Entries don't have effect on authentication. Is this handled via acl in squid.conf? Because when i change the whitelist part a commit don't change the acl part in the squid.conf file. Or I misunderstand this feature?

https://vyos.readthedocs.io/en/latest/services/webproxy.html#bypassing-the-webproxy

c-po added a comment.EditedMay 8 2019, 6:20 AM

So you used /usr/lib/squid3/basic_ldap_auth? Then I‘m going to correct the scripts

I think the whitelist and blacklist feature was implemented recently, could you check Phabricator please?

rob added a comment.May 8 2019, 5:57 PM

Changing squid_ldap_auth to basic_ldap_auth should be enough to fix the ldap part.

The Whitelist feature was implemented here: T1060
It configure a NAT Rule on hardcoded tcp/80 so only http traffic can bypass squid and worked only in transparent mode. That was not my first mention about the whitelist feature.
I thought rather that it exclude targets or sources from authorization to allow anonymous traffic over the proxy.

Anyway, i don't know if is it worth to work on the whitelist part (e.g. add tcp/443) as well, when i read T1090

c-po moved this task from Need Triage to VyOS 1.2.2 on the VyOS 1.2 Crux board.May 8 2019, 6:37 PM
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.2); removed VyOS 1.2 Crux.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

Please test with next rolling release if this problem is fixed so we can close this issue if this is ok for you. Whitlist issues should be separate ones. Thanks for assistance.

pasik added a subscriber: pasik.May 9 2019, 9:07 PM
rob added a comment.May 11 2019, 3:25 PM

Test with 1.2.0-rolling+201905110337

the error is still there, your commit is not in the script file under /opt/vyatta/sbin/vyatta-update-webproxy.pl

are there still build issues?

c-po added a comment.May 11 2019, 4:55 PM

Unfortunately a build of vyatta-webproxy was not triggered on push to GitHub. Next rolling will have it!

rob added a comment.May 12 2019, 9:45 AM

Test with latest vyos-1.2.0-rolling+201905120337-amd64.iso success.
Thank you.

c-po closed this task as Resolved.May 12 2019, 10:23 AM