3. Squid Proxy with ldap Authentication

Squid Proxy with ldap Authentication

So I was able to make this work: 1) scp Root Cert to pfsense (I sent it to /opt/ca.pem)

2) Edit squid.inc file, and add -ZZ option to the command (note: option requires version 3) The -ZZ option specifies to use startTLS

File: /usr/local/pkg/squid.inc (search file for appropriate line) From -> <pre><code> $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n"; </pre></code> To -> <pre><code> $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -ZZ -v {$settings['ldap_ver sion']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattrib ute']} -P {$settings['auth_server']}$port\n"; </pre></code>

3) Edit squid.conf with same option: File: /usr/pbi/squid-amd64/local/etc/squid/squid.conf (search file for appropriate line) From -> <pre><code> auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389 </pre></code> To -> <pre><code> auth_param basic program /usr/pbi/squid-amd64/local/libexec/squid/basic_ldap_auth -ZZ -v 3 -b ou=People,dc=example,dc=com -D cn=nssproxy,ou=Serv ices,dc=example,dc=com -w passHere -f "(&(objectClass=person)(uid=%s))" -u uid -P ldap.example.com:389 </pre></code>

  1. Edit ldap.conf file to point to ca.pem like: File:/usr/pbi/squid-amd64/local/etc/openldap/ldap.conf <pre><code> # # LDAP Defaults #

See ldap.conf(5) for details

This file should be world readable but not world writable.

BASE dc=example,dc=com

URI ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT 12

TIMELIMIT 15

DEREF never

TLS_CACERT /opt/ca.pem TLS_REQCERT allow </pre></code>

With all this being said - my concern is that these changes will be overwritten at some point due to an update, reboot, restart, ect. What is the preferred method for adding changes/options that are not directly supported via the GUI?

If all possible I would prefer to do this via the GUI (still hoping I missed the option) - I would like to stay away from hacks/customizations as much as possible.

/r/PFSENSE Thread
Previous
Next

Recently removed from /r/PFSENSE

No internet on DHCP Monitoring hg612 stats from pfsense Same VLAN on two interfaces? Programmatically determine default/active WAN in multi-WAN setup pfSense IPsec tunnel trouble Slows DNS issues

More Random Comments

Filling up holes from old plate I feel like the remake really shafted this character with their voice cast choice [WTS] Odin Works 16” Superlite 9mm barrel Information please. My mother, who passed in 2022 at age 99 had these my whole life. She immigrated to the US from Luxembourg in 1946. There is a small makers mark and the number 13056. I’m curious about age and origin. Thanks worlds jumpiest cops Oh okay You can't state facts If it's incredibly difficult for someone to be vegan, should they still be vegan? CMV: It's transphobic to demand trans people disclose they are trans on dating apps BNIB Defective Holosun SCS? I bought this SCS from Dawson Precision, open up, and attempt to manipulate. No power, no cycle, no reset. Am I an idiot? I am perturbed. potential solution for storing solar power from tesla how do I farm diamonds Just to show you what’s possible here Qual um campeonato continental nicho que é bacana de acompanhar? My Channel Was Deleted Last Night