RE: [squid-users] Problems with IDENT lookup logging

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Apr 2009 13:34:12 +1200 (NZST)

>> 1) you mention having questions but don't ask any.
>
> --> Well, one of them is..I have read that using LDAP lookup..When
> attempting to visit a blocked site, squid will challenge the
> authentication. Is this true?

LDAP (authentication) and IDENT (identification) are two very different
things.
Only if you configure Squid to request authentication will it challenge.
There are ways to avoid auth sometimes (IP, header, or destination based
ACLs etc), and others (fakeauth or the 'all' ACL config hack) to avoid the
challenge.

> We're trying to keep this as transparent as
> possible.

Well, to guarantee auth credentials, some form of challenge needs to go
back to the browser to kick things off. Your current usage this challenge
is done in the background via ident. I mention fakeauth etc. They and the
auth protocols you have looked at do the same thing via HTTP. Some like
LDAP and NTLM can be silent to the user if the browser has access to such
information.
 Worst case for proper setup is that the user gets a auth popup once per
browser startup.
 Worst case for broken setup is that the browser continuously shows the
user the auth popup.

> Will squid have any problems performing LDAP against a mail server? I
> have the mail server also set up as an LDAP server (it's an exchange2003
> box), so, so long as I direct the requests under port 389 there shouldn't
> be a problem correct?

Say what?! SMTP and LDAP are again two very different protocols. SMTP
like HTTP can be configured to _use_ LDAP. But you cannot AFAIK send an
email to someone and receive LDAP credentials back via LDAP protocol.

I have to assume you mean your Exchange2003 Server provides LDAP domain
authentication service separate to its email service.
Squid should not have any problems authenticating against any proper LDAP
authentication service.

> Next question would be..Is there a better method to use than LDAP? NTLM
> possibly?

Not really, security changes over time, NTLM and LDAP are getting old. But
at least LDAP is able to keep up with encryption updates.
If you are using Vista or later boxes anywhere, negotiate auth with
kerberos is much better than NTLM for them. To the point of being a
required upgrade.

>
> 2) logging of authenticated username (LDAP) and loging of identity
> name (IDENT) are two separate things sometimes in Squid. Check the log
> format is showing what you want.
> ---> I do have the log format set to record successfully the IDENT lookup.
> As you can see from the log..It does sometimes work and sometimes does
> not. I can include a much larger log file if anyone has the time to look
> it over. I do, but I can't discern any patterns..

As you probably know. IDENT only works for local machines which support it
AND have the security levels reduced to allow user information to be shown
publicly.

>
> 3) Ident is a rarely used (due to being insecure) method of
> identification. The re-write of auth for Squid-3 left a few problems in
> the way it works. Many of which are being resolved so recently the
> patches have not yet made it to 3.0 and some still waiting testing in
> bugzilla. If you need this kind of fix, please test the latest snapshots
> then get check bugzilla for any remaining issues.
> ----> Again..I don't mind getting away from IDENT..It is a pain in the ass
> to get installed on all the client machines..But when I was first learning
> about squid, this is the path that was easiest for me (I had to learn
> linux first, then squid, then squint for reports, then IDENT for username
> logging..All in about a week).. So I just kind of stuck with it.
> We have until May 4th til this needs to go live. We, as you can see, are
> currently running and logging now so we can make sure the loads are all
> ok. So, any help before then would be awesome!!

I think you probably want to look at fakeauth as well. Which does the auth
challenge to browsers, but accepts anything they send back.
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly

>
> Thanks again guys!!
>
> Thanks
> Dustin
>
> Dustin Hane wrote:
>> Hello all!
>>
>> I'm trying to get around having to do the LDAP or NTLM authentication
>> schemas. It may be a lot easier, but I'm just not exactly sure how..So
>> what I have done is this..
>> I pushed out via a GPO a script that will report the username to a text
>> file. I then use windows IDent server (installed on all local boxes) to
>> listen for when Squid makes an RFC 931 lookup request. The service
>> responds with the username from the text file.
>> Using Squid 3Stable7 on Unix..Exporting logs in default squid format..
>> I wouldn't have a problem using an LDAP server as I do have it set up..I
>> just don't understand it and for some reason I can't wrap my head around
>> the wiki for it and I have a few questions that aren't listed there..If
>> someone has a few minutes that I could email my test config for it to, I
>> would be eternally greatful! I just don't want to bog down the maillist
>> with my stupidity.
>> Works absolutely awesome 94% of the time..But occasionally I get the
>> following. (usernames have been retracted for obvious reasons)
>>
>>
>>A few things crop into y head reading your post:
>>
>> 1) you mention having questions but don't ask any.
>
> --> Well, one of them is..I have read that using LDAP lookup..When
> attempting to visit a blocked site, squid will challenge the
> authentication. Is this true? We're trying to keep this as transparent as
> possible.
> Will squid have any problems performing LDAP against a mail server? I
> have the mail server also set up as an LDAP server (it's an exchange2003
> box), so, so long as I direct the requests under port 389 there shouldn't
> be a problem correct?
> Next question would be..Is there a better method to use than LDAP? NTLM
> possibly?
>
> 2) logging of authenticated username (LDAP) and loging of identity
> name (IDENT) are two separate things sometimes in Squid. Check the log
> format is showing what you want.
>
> 3) Ident is a rarely used (due to being insecure) method of
> identification. The re-write of auth for Squid-3 left a few problems in
> the way it works. Many of which are being resolved so recently the
> patches have not yet made it to 3.0 and some still waiting testing in
> bugzilla. If you need this kind of fix, please test the latest snapshots
> then get check bugzilla for any remaining issues.
>
> Amos
>
>> ---Begin Logs---
>> 1240514814.201 289 icm1512.postalproducts.com TCP_MISS/200 2347 GET
>> http://www.bassind.com/images/bg_03.gif username DIRECT/65.198.197.121
>> image/gif
>> 1240514814.578 404 icm1512.postalproducts.com TCP_MISS/200 544 GET
>> http://www.bassind.com/images/top_nav_bg.gif - DIRECT/65.198.197.121
>> image/gif
>> 1240514814.613 1106 icm1512.postalproducts.com TCP_MISS/404 1561 GET
>> http://www.bassind.com/images/main_top.gif - DIRECT/65.198.197.121
>> text/html
>> 1240514814.673 417 icm1512.postalproducts.com TCP_MISS/200 3994 GET
>> http://www.bassind.com/prodimg/hometheatrehp.jpg username
>> DIRECT/65.198.197.121 image/jpeg
>>
>> 1240514824.037 356 icm1512.postalproducts.com TCP_MISS/404 1561 GET
>> http://www.bassind.com/favicon.ico username DIRECT/65.198.197.121
>> text/html
>> 1240514829.944 0 icm1338.postalproducts.com TCP_IMS_HIT/304 375 GET
>> http://vendornet.americanhotel.com/colors/styles.css username NONE/-
>> text/css
>> 1240514829.946 0 icm1338.postalproducts.com TCP_IMS_HIT/304 391 GET
>> http://vendornet.americanhotel.com/inc/main.js - NONE/-
>> application/x-javascript
>> 1240514829.969 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/topB.gif username NONE/-
>> image/gif
>> 1240514830.000 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/Logo/AHLogo.gif - NONE/- image/gif
>> 1240514830.004 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/liteteal1x1.gif username
>> NONE/- image/gif
>> 1240514830.009 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/exit.gif - NONE/- image/gif
>> 1240514830.011 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/topA.gif username NONE/-
>> image/gif
>> 1240514830.015 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/leftReduce.gif - NONE/-
>> image/gif
>> 1240514830.021 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/leftExpand.gif username NONE/-
>> image/gif
>> 1240514830.025 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/Colors/liteteal1x1.gif - NONE/-
>> image/gif
>> 1240514830.029 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/arrow.gif username NONE/-
>> image/gif
>> 1240514830.034 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/leftDiv.gif - NONE/- image/gif
>> 1240514830.040 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/arrowbl.gif username NONE/-
>> image/gif
>> 1240514830.049 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/tealleft.gif - NONE/-
>> image/gif
>> 1240514830.050 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/leftSpace.gif username NONE/-
>> image/gif
>> 1240514830.070 327 icm1338.postalproducts.com TCP_MISS/200 23941 POST
>> http://vendornet.americanhotel.com/Index.asp jurgitad
>> DIRECT/72.35.92.212 text/html
>> 1240514830.080 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/images/powered.gif - NONE/- image/gif
>> 1240514830.083 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/teal1x1.gif username NONE/-
>> image/gif
>> 1240514830.093 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
>> http://vendornet.americanhotel.com/colors/recapright.gif username NONE/-
>> image/gif
>> 1240514832.457 107 icm1512.postalproducts.com TCP_MISS/200 1903 GET
>> http://www.freightquote.com/images/qb_nav_account_on.gif username
>> DIRECT/207.218.147.11 image/gif
>> ---END LOGS----
>>
>> Dustin Hane
>> IT Support
>> Ph: 414-290-1128
>> Fx: 414-290-1515
>> 500 W Oklahoma Ave
>> Milwaukee, WI 53207
>> dustinh_at_postalproducts.com
>>
>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
> Current Beta Squid 3.1.0.7
>
>
Received on Tue Apr 28 2009 - 00:34:11 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:02 MDT