Configure Squid Proxy OpenLDAP Authentication on pfSense

koromicha
|
Last Updated:
|
HowTos, Proxy, Security
|
Leave a Comment

Welcome to our tutorial on how to configure Squid Proxy OpenLDAP authentication on pfSense. Squid Proxy supports different types of authentication method, one of them being the lightweight directory access protocol (LDAP). Squid proxy authentication ensures that only authenticated users can access the Internet as a way of filtering Internet access for individuals.

In our previous guide, we provided a step-by-step tutorial on how to install and setup Squid Proxy on pfSense. Below is the link;

Install and Setup Squid Proxy on pfSense

Configuring Squid Proxy OpenLDAP Authentication on pfSense

We assume that you already installed and setup Squid on pfSense, if not, follow the link above to set it up.

We also assume that have an OpenLDAP server up and running. In our case, we are using an OpenLDAP server running on a CentOS 8 system;

Install and Setup OpenLDAP on CentOS 8

Configure Squid OpenLDAP Authentication Settings

To begin with, login to pfSense web interface and navigate to Services > Squid Proxy Server.

Click Authentication tab. This is where you define your Squid Proxy authentication mechanisms and settings.

Define Squid Authentication General Settings

On the Squid Authentication General Settings section;

  • Select an authentication method, choose LDAP in this case.
  • Enter the IP or hostname of your OpenLDAP server server
  • Enter the port to use to connect to your LDAP server. We choose port 389 for our server.
  • Set your preferred string that will be displayed at the top of the proxy authentication request window.
  • For authentication processes and TTL, we go with the defaults
  • Enable Squid proxy Authentication for Unrestricted IPs
  • If you have any subnets to exclude from Squid authentication, specify them.
Configure Squid Proxy OpenLDAP Authentication on pfSense

Define Squid Authentication LDAP Settings

In this section, you need to define your OpenLDAP authentication details.

  • Set the LDAP version, which in our case is version 3.
  • Choose the mode of communication. In our setup, OpenLDAP is configure with TLS support, hence STARTTLS.
  • Set your LDAP bind/user DN and the password for searching the LDAP directory within the defined search base.
  • Set your OpenLDAP base domain.
  • Enter LDAP username DN attribute. We use UID in our setup.
  • Set your LDAP Search Filter.
ldap settings

Click Save once your are done with configurations.

Import OpenLDAP CA Certificate on pfSense

Note that we chose STARTTLS as our transport method. As such, we need to install the CA certificate of the LDAP server for trusted connections.

Therefore, login into pfSense console via SSH. Replace pfsense-IP with the IP address of your pfSense server

ssh root@pfsense-IP

Download the LDAP CA certificate using OpenSSL command. Replace the IP address accordingly.

openssl s_client -connect 192.168.57.19:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Copy the certificate part;

-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
...
...
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

Put the certificate in a file and store it in a convenient location, eg, /usr/local/etc/ssl/.

vi /usr/local/etc/ssl/cacert.pem

Paste the certificate above into the file;

-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
...
...
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

Next, open the /usr/local/etc/openldap/ldap.conf file and insert the lines below.

vi /usr/local/etc/openldap/ldap.conf
TLS_CACERT /usr/local/etc/ssl/cacert.pem
TLS_REQCERT allow

Save and exit the file.

Testing Squid Proxy OpenLDAP Authentication on Browser

To test our Squid Proxy OpenLDAP authentication on browser, we will use Firefox. Learn how to configure proxy on firefox by checking the link below.

How to Configure Proxy Settings on Firefox Browser

Once you setup the proxy and try to browser Internet, you will be prompted to authenticate.

squid auth prompt

Enter your LDAP credentials and proceed to surf Internet.

You can tail Squid logs as well as LDAP logs to check what is going on.

tail -f /var/squid/logs/access.log

You can as well check Squid logs from pfSense web interface in real time by navigating to Services > Squid Proxy Server > Real Time.

squid monitor

Similarly, check you LDAP logs;

tail -f /var/log/slapd.log

That is it on how to configure Squid Proxy OpenLDAP authentication of pfSense.

Related Tutorials

Monitor Squid logs with Grafana and Graylog

Create Squid Logs Extractors on Graylog Server

Monitor Squid Access Logs with Graylog Server

Setup Squid Proxy Authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Related Posts

How Free Infographic Maker Helps In Creating Artistic Presentations

Install LAMP Stack on CentOS 8

How To Safely Download And Watch Movies

Install and Setup GVM 11 on Ubuntu 20.04

The small but enthusiastic Linux gaming scene in Australia

How to Install FreeBSD 12 on VirtualBox

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy