Page MenuHomeVyOS Platform

Webproxy with ldap authentication don't start
Closed, ResolvedPublicBUG

Description

set service webproxy authentication children '5'
set service webproxy authentication credentials-ttl '60'
set service webproxy authentication ldap base-dn 'DC=rgtest,DC=local'
set service webproxy authentication ldap bind-dn 'CN=administrator,OU=Users,DC=rgtest,DC=local'
set service webproxy authentication ldap password 'xxxxx
set service webproxy authentication ldap port '389'
set service webproxy authentication ldap server '192.168.188.201'
set service webproxy authentication ldap use-ssl
set service webproxy authentication ldap username-attribute 'cn'
set service webproxy authentication ldap version '3'
set service webproxy authentication method 'ldap'
set service webproxy authentication realm 'VyOS Webproxy'
set service webproxy cache-size '100'
set service webproxy default-port '3128'
set service webproxy listen-address 192.168.188.103 disable-transparent
[email protected]# commit
[ service webproxy ]
Restarting squid3 (via systemctl): squid3.service
Job for squid3.service failed. See 'systemctl status squid3.service' and 'journalctl -xn' for details.
 failed!

journalctl:

May 06 21:11:10 vyos squid3[2245]: FATAL ERROR: auth_param basic program /usr/lib/squid3/squid_ldap_auth: (2) No such file or directory ... failed!

manually change to /usr/lib/squid3/basic_ldap_auth in /etc/squid3/squid.conf and

[email protected]:$ restart webproxy
[ ok ] Restarting squid3 (via systemctl): squid3.service.

i don't know if basic_ldap_auth is the correct file, there are others with ldap, i just tryed it first.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.1
Why the issue appeared?
Issues in third-party code

Event Timeline

rob updated the task description. (Show Details)

Does it work as expected?

yesterday i give up with it, i will try it again later and report it here.

Once you verify if the module works I‘m happy to fix it.

c-po added a project: VyOS 1.3 Equuleus.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.

this config worked as expected with Microsoft AD.

[email protected]# show service webproxy
 authentication {
     children 5
     credentials-ttl 60
     ldap {
         base-dn DC=rgtest,DC=local
         bind-dn CN=proxyuser,CN=Users,DC=rgtest,DC=local
         filter-expression (cn=%s)
         password Qwert1234
         server 192.168.188.201
         username-attribute cn
     }
     method ldap
     realm "VyOS Webproxy"
 }
 cache-size 100
 default-port 3128
 listen-address 192.168.188.103 {
     disable-transparent
 }

The next thing is, the whitelist (dst and src) feature don't work either. Entries don't have effect on authentication. Is this handled via acl in squid.conf? Because when i change the whitelist part a commit don't change the acl part in the squid.conf file. Or I misunderstand this feature?

https://vyos.readthedocs.io/en/latest/services/webproxy.html#bypassing-the-webproxy

So you used /usr/lib/squid3/basic_ldap_auth? Then I‘m going to correct the scripts

I think the whitelist and blacklist feature was implemented recently, could you check Phabricator please?

Changing squid_ldap_auth to basic_ldap_auth should be enough to fix the ldap part.

The Whitelist feature was implemented here: T1060
It configure a NAT Rule on hardcoded tcp/80 so only http traffic can bypass squid and worked only in transparent mode. That was not my first mention about the whitelist feature.
I thought rather that it exclude targets or sources from authorization to allow anonymous traffic over the proxy.

Anyway, i don't know if is it worth to work on the whitelist part (e.g. add tcp/443) as well, when i read T1090

c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.2); removed VyOS 1.2 Crux.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

Please test with next rolling release if this problem is fixed so we can close this issue if this is ok for you. Whitlist issues should be separate ones. Thanks for assistance.

Test with 1.2.0-rolling+201905110337

the error is still there, your commit is not in the script file under /opt/vyatta/sbin/vyatta-update-webproxy.pl

are there still build issues?

Unfortunately a build of vyatta-webproxy was not triggered on push to GitHub. Next rolling will have it!

Test with latest vyos-1.2.0-rolling+201905120337-amd64.iso success.
Thank you.