When connecting openldap there is no “filter” field to find the necessary users. By what principle does the ldap setting in ipfire understand where and by what attributes it should search for users. can anyone help me pls)
Could you give some more information on what you are trying to use LDAP for?
Is it for the LDAP Authentication option on the Web Proxy or for the LDAP authentication of users for OpenVPN or for…?
Hello! I’m trying to use ldap to authenticate users via a web proxy. Web proxy can’t understand what to look for and where to look
Okay, go to the bottom of the Web Proxy WUI (Web User Interface) page and select the button labelled LDAP and then press the save button.
Ignore any error messages at the top at the top at this stage as you have not yet filled out any of the LDAP options required.
Then go back to the bottom of the Web Proxy WUI page and follow the information in the IPFire documentation on LDAP Authentication for what is required where.
https://www.ipfire.org/docs/configuration/network/proxy/wui_conf/auth
https://www.ipfire.org/docs/configuration/network/proxy/wui_conf/auth/ldap
The communication to the LDAP server is done via the squid Web Proxy using the squid_ldap_auth (Squid LDAP authentication) helper.
The following link gives some information from the Squid documentation about how they do the LDAP Authentication.
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
The IPFire code in the proxy.cgi file provides the required information. Most of this comes from the WUI page entries.
The User and Password are dealt with by the following code in the proxy.cgi code
I don’t use and have never used LDAP authentication, in IPFire or in any other computer system so I can’t help you with the details.
The above code is putting the appropriate lines into the /var/ipfire/proxy/squid.conf file. So you can check those entries and compare them with what the squid documentation is mentioning.
The code puts in some -f, -u and -P entries and the user is from the sAMAccountName variable, which I would expect comes from Squid itself when the authentication is done in the browser.
I am assuming that the above code includes the filter info for Squid to use when it is contacting the LDAP server but that is only a guess on my part.
I think we need to see if there are other forum users that are using LDAP authentication with the Squid Web Proxy and can help you further to figure out what is failing in your setup.
Thank you, Adolf. I reviewed your recommendations and realized that the issue is in the proxy.cgi file. This file contains important lines that define the LDAP filter. By default, it is set to person.
Whenever I restart my proxy via the web interface, the filter resets back to person. I modified the Squid configuration file and changed the filter from person to inetOrgPerson, then restarted Squid manually, and it worked. However, as soon as I restart the proxy through the web interface, the filter resets again to person.
Can I edit the proxy.cgi file to set my own default filters so that even when I restart via the web interface, my filters remain unchanged? Specifically, I need to replace person with inetOrgPerson in the filter (&(objectClass=person)).
How can I modify proxy.cgi to achieve this? Can i use nano?
To do that you would need to rewrite the proxy.cgi code to work with inetOrgPerson. Nano can be used for doing that change.
However if you modify the proxy.cgi code then when a Core Update is carried out and the squid package is updated and/or the proxy.cgi code is updated then all your changes would be overwritten and you would have to redo them again.
Searching on person vs inetOrgPerson I have found that these are structural object classes from ldap and inetOrgPerson is a descendant of person.
As you are the first user to highlight this issue it is likely that other IPFire users that have ldap authentication of the web proxy are using the person object class in their ldap servers or potentially have both.
If you have the ability and time you could always submit a patch for the proxy.cgi code to allow selection of the filter on the WUI page. The existing person option has to stay in place and be the default so that any existing users of ldap authentication on their web proxy don’t suddenly have their systems broken.
https://www.ipfire.org/docs/devel/submit-patches
The only other option, if you aren’t able to supply a patch, is to raise a bug about the fact that inetOrgPerson is not supported.
https://www.ipfire.org/docs/devel/bugzilla
Your IPFire People email address and password act as your logon credentials for the IPFire Bugzilla.
As the IPFire team is quite small and heavily loaded then any fix for the bug might take some time for someone to be able to work on it.
There are 418 open bugs at the moment. These also include infrastructure bugs with things such as the web site, mailing system, mirrors, builders etc.
Thank you, Adolf. If I change the lines from person to inetOrgPerson in the proxy.cgi file and restart, will my changes in proxy.cgi be preserved? So, to ensure that the proxy.cgi settings are retained, I shouldn’t update the Squid packages or IPFire itself. Did I understand you correctly?
16:37
That is correct but then your IPFire would get out of date and could have security weaknesses left in it. Not a good thing for a firewall.
Probably. I don’t know all the places in the code where things could be modified but I would expect it should be okay. You will have to try it and see.
1 Like
I got you sir. Thanks