{"id":6332,"date":"2020-07-05T01:26:26","date_gmt":"2020-07-04T22:26:26","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6332"},"modified":"2024-03-14T22:14:27","modified_gmt":"2024-03-14T19:14:27","slug":"configure-squid-proxy-openldap-authentication-on-pfsense","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-squid-proxy-openldap-authentication-on-pfsense\/","title":{"rendered":"Configure Squid Proxy OpenLDAP Authentication on pfSense"},"content":{"rendered":"\n<p>Welcome to our tutorial on how to configure Squid Proxy OpenLDAP authentication on pfSense. Squid Proxy supports different types of authentication method, one of them being the lightweight directory access protocol (LDAP). <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/wiki.squid-cache.org\/Features\/Authentication\" target=\"_blank\" rel=\"noreferrer noopener\">Squid proxy authentication<\/a> ensures that only authenticated users can access the Internet as a way of filtering Internet access for individuals.<\/p>\n\n\n\n<p>In our previous guide, we provided a step-by-step tutorial on how to install and setup Squid Proxy on pfSense. Below is the link;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-squid-proxy-on-pfsense\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Install and Setup Squid Proxy on pfSense<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring Squid Proxy OpenLDAP Authentication on pfSense<\/h2>\n\n\n\n<p>We assume that you already installed and setup Squid on pfSense, if not, follow the link above to set it up.<\/p>\n\n\n\n<p>We also assume that have an OpenLDAP server up and running. In our case, we are using an OpenLDAP server running on a CentOS 8 system;<\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Squid OpenLDAP Authentication Settings<\/h3>\n\n\n\n<p>To begin with, login to pfSense web interface and navigate to <strong>Services &gt; Squid Proxy Server<\/strong>.<\/p>\n\n\n\n<p>Click <strong>Authentication<\/strong> tab. This is where you define your Squid Proxy authentication mechanisms and settings.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Define Squid Authentication General Settings<\/h4>\n\n\n\n<p>On the Squid Authentication General Settings section;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Select an authentication method, choose <strong>LDAP<\/strong> in this case.<\/li>\n\n\n\n<li>Enter the IP or hostname of your OpenLDAP server server<\/li>\n\n\n\n<li>Enter the port to use to connect to your LDAP server. We choose port <strong>389<\/strong> for our server.<\/li>\n\n\n\n<li>Set your preferred string that will be displayed at the top of the proxy authentication request window.<\/li>\n\n\n\n<li>For authentication processes and TTL, we go with the defaults<\/li>\n\n\n\n<li>Enable Squid proxy Authentication for Unrestricted IPs<\/li>\n\n\n\n<li>If you have any subnets to exclude from Squid authentication, specify them.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1265\" height=\"928\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-general-settings.png\" alt=\"Configure Squid Proxy OpenLDAP Authentication on pfSense\" class=\"wp-image-6334\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-general-settings.png?v=1593901256 1265w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-general-settings-768x563.png?v=1593901256 768w\" sizes=\"(max-width: 1265px) 100vw, 1265px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Define Squid Authentication LDAP Settings<\/h4>\n\n\n\n<p>In this section, you need to define your OpenLDAP authentication details.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set the LDAP version, which in our case is version 3.<\/li>\n\n\n\n<li>Choose the mode of communication. In our setup, OpenLDAP is configure with TLS support, hence STARTTLS.<\/li>\n\n\n\n<li>Set your LDAP bind\/user DN and the password for searching the LDAP directory within the defined search base.<\/li>\n\n\n\n<li>Set your OpenLDAP base domain.<\/li>\n\n\n\n<li>Enter LDAP username DN attribute. We use UID in our setup.<\/li>\n\n\n\n<li>Set your LDAP Search Filter.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1253\" height=\"829\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-settings.png\" alt=\"\" class=\"wp-image-6335\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-settings.png?v=1593901280 1253w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ldap-settings-768x508.png?v=1593901280 768w\" sizes=\"(max-width: 1253px) 100vw, 1253px\" \/><\/figure>\n\n\n\n<p>Click <strong>Save<\/strong> once your are done with configurations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Import OpenLDAP CA Certificate on pfSense<\/h3>\n\n\n\n<p>Note that we chose STARTTLS as our transport method. As such, we need to install the CA certificate of the LDAP server for trusted connections.<\/p>\n\n\n\n<p>Therefore, login into pfSense console via SSH. Replace <strong>pfsense-IP<\/strong> with the IP address of your pfSense server<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh root@pfsense-IP<\/code><\/pre>\n\n\n\n<p>Download the LDAP CA certificate using OpenSSL command. Replace the IP address accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl s_client -connect 192.168.57.19:636 -showcerts &lt; \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n<p>Copy the certificate part;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\n...\n...\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n<p>Put the certificate in a file and store it in a convenient location, eg, <strong><code>\/usr\/local\/etc\/ssl\/<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vi \/usr\/local\/etc\/ssl\/cacert.pem<\/code><\/pre>\n\n\n\n<p>Paste the certificate above into the file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\n...\n...\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n<p>Next, open the <code><strong>\/usr\/local\/etc\/openldap\/ldap.conf<\/strong><\/code> file and insert the lines below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vi \/usr\/local\/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>TLS_CACERT <strong>\/usr\/local\/etc\/ssl\/cacert.pem<\/strong>\nTLS_REQCERT allow<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Testing Squid Proxy OpenLDAP Authentication on Browser<\/h3>\n\n\n\n<p>To test our Squid Proxy OpenLDAP authentication on browser, we will use Firefox. Learn how to configure proxy on firefox by checking the link below.<\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-squid-proxy-on-pfsense\/#firefoxproxysettings\" target=\"_blank\" rel=\"noreferrer noopener\">How to Configure Proxy Settings on Firefox Browser<\/a><\/p>\n\n\n\n<p>Once you setup the proxy and try to browser Internet, you will be prompted to authenticate.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1285\" height=\"649\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-auth-prompt.png\" alt=\"\" class=\"wp-image-6336\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-auth-prompt.png?v=1593901321 1285w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-auth-prompt-768x388.png?v=1593901321 768w\" sizes=\"(max-width: 1285px) 100vw, 1285px\" \/><\/figure>\n\n\n\n<p>Enter your LDAP credentials and proceed to surf Internet.<\/p>\n\n\n\n<p>You can tail Squid logs as well as LDAP logs to check what is going on.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/squid\/logs\/access.log<\/code><\/pre>\n\n\n\n<p>You can as well check Squid logs from pfSense web interface in real time by navigating to <strong>Services &gt; Squid Proxy Server &gt; Real Time<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1265\" height=\"667\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-monitor.png\" alt=\"\" class=\"wp-image-6340\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-monitor.png?v=1593939097 1265w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/squid-monitor-768x405.png?v=1593939097 768w\" sizes=\"(max-width: 1265px) 100vw, 1265px\" \/><\/figure>\n\n\n\n<p>Similarly, check you LDAP logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/slapd.log<\/code><\/pre>\n\n\n\n<p>That is it on how to configure Squid Proxy OpenLDAP authentication of pfSense.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/monitor-squid-logs-with-grafana-and-graylog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Squid logs with Grafana and Graylog<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/create-squid-logs-extractors-on-graylog-server\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Create Squid Logs Extractors on Graylog Server<\/a><\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/monitor-squid-access-logs-with-graylog-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Squid Access Logs with Graylog Server<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-setup-squid-proxy-basic-authentication-with-username-and-password\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Setup Squid Proxy Authentication on Ubuntu 18.04\/Fedora 29\/28\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our tutorial on how to configure Squid Proxy OpenLDAP authentication on pfSense. Squid Proxy supports different types of authentication method, one of them<\/p>\n","protected":false},"author":1,"featured_media":10750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,250,34],"tags":[1756,1757,251,277,1761,1760,1759],"class_list":["post-6332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-proxy","category-security","tag-configure-squid-proxy-on-pfsense","tag-pfsense","tag-squid","tag-squid-proxy","tag-squid-proxy-authentication","tag-squid-proxy-ldap-authentication","tag-squid-proxy-openldap-authentication","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6332"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6332"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6332\/revisions"}],"predecessor-version":[{"id":21454,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6332\/revisions\/21454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10750"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}