Univention Bugzilla – Bug 34154
Squid ldap authentication issues with umlauts
Last modified: 2018-05-09 14:21:05 CEST
Part of the original issue was still relevant with UCS 3.1. It should at least be checked again. +++ This bug was initially created as a clone of Bug #20817 +++ Wie aus einem System Review hervorging sind Umlaute in Benuzternamen und Passwörter problematisch bei der Squid-Authentifizierung gegen das LDAP. Hierzu gibt es bereits einen Thread und einen verlinkten Patch unter: http://www.spinics.net/lists/squid/msg31827.html Wie der Squid-Dokumentation zu entnehmen ist, wurde der hierzu eingereichte Patch in Squid 3.2 eingefügt: http://www.eu.squid-cache.org/Doc/config/auth_param/ Damit lässt sich in der Squid Konfiguration der Parameter "auth_param basic|digest utf8 on|off" setzen.
This is still true for UCS 4.0-1 with basic auth: > squid/basicauth: yes > squid/ntlmauth: no > squid/krb5auth: <empty> Tested with UCS 4.0-1 errata193, user "ünivention", Win7, IE 11: > 1431339731.112 14 10.200.30.16 TCP_DENIED/407 3948 GET http://www.google.com/ %fcnivention NONE/- text/html -> bad encoding On the other hand, it work's fine with NTLM auth: > squid/basicauth: no > squid/ntlmauth: yes > squid/krb5auth: <empty> > 1431339893.091 7338 10.200.30.16 TCP_MISS/200 4385 CONNECT www.google.com:443 %c3%bcnivention DIRECT/173.194.113.19 - -> works conclusion: umlauts are fine for proxy authentication as long as NTLM auth (or Kerberos) is used. If using basic auth, wrong umlaut encoding breaks the authentication.
The original bug report mentioned a patch for Squid 3.2 that should resolve the issue, but it seems as if it was also patched for 3.1 (which UCS 4.0 still relies on): http://www.squid-cache.org/Doc/config/auth_param/ Adding "auth_param basic utf8 on" to the Squid configuration makes authentication also work fine for basic auth: > squid/basicauth: yes > squid/ntlmauth: no > squid/krb5auth: <empty> > 1431341700.701 578 10.200.30.16 TCP_MISS/301 648 GET http://www.univention.de/ %fcnivention DIRECT/78.47.199.152 text/html -> The encoding still looks "wrong", but authentication works. Squid translates HTTP iso-latin-1 charset to UTF-8 in the background.
It works if the password is send as base64 encoded UTF-8: printf 'GET http://google.com HTTP/1.1\r\nHost: google.com\r\nProxy-Authorization: Basic /G5pdmVudGlvbjp1bml2ZW50aW9u\r\n\r\n' | nc localhost 3128 → works printf 'GET http://google.com HTTP/1.1\r\nHost: google.com\r\nProxy-Authorization: Basic w7xuaXZlbnRpb246dW5pdmVudGlvbg==\r\n\r\n' | nc localhost 3128 → fails As we internally store the password as UTF-8 and HTTP is a latin-1 protocol converting it via squid "auth_param basic utf8 on" (comment 2) seems to be correct.
Both chrome and firefox (in the latest version) use utf8 during basic auth. IE and Edge do not... Setting "auth_param basic utf8 on" breaks firefox and chrome. But fixes IE and Edge. I guess it would be possible to patch squid to test the password with both encodings. Tested with UCS 4.3
I wrote a wrapper that tries to login with both encodings. Does this need to be controlled via a ucr variable? https://git.knut.univention.de/univention/ucs/tree/juern/squid
As discussed, please add a UCR switch to revert to the old behavior.
[4.3-0 0d33d53946] Bug #34154: utf8 and latin1 basic auth wrapper [4.3-0 dadf63c5a1] Bug #34154: fix 43_proxy tests and speed up [4.3-0 eaa56cc049] Bug #34154: Added testcase 43_proxy/07_basic_auth_encoding [4.3-0 f29acb4192] Bug #34154: ucr variables for basic auth wrapper [4.3-0 afdabe2d46] Bug #34154: 43_proxy fix test [4.3-0 3ed5c55ed1] Bug #34154: changelog [4.3-0 95037a48a6] Bug #34154: YAML Package: univention-squid Version: 11.0.0-13A~4.3.0.201804201627 Branch: ucs_4.3-0 Scope: errata4.3-0
OK: New wrapper, activated by default OK: reset to old behavior with ucr squid/basicauth/encoding_wrapper=no + squid restart OK: ucs tests OK: Login with chrome, firefox, IE OK: yaml Verified
43_proxy.05_custom_ACL_snippets_in_squidconf.test fails, has this something todo with this bug/commit?
I don't think it has: Schlägt fehl seit 139 Builds (Seit #4 ). But lets give the assignee a chance to look at it.
I'm not sure why mail.univention.de:80 is not reachable/slow? from jenkins. Port 80 is now redirected to a local server (21 and 443 were already redirected). I had to make a small fix in "ucs-test/univention/testing/network.py" revert_network_settings iterates over self.cleanup_rules which is modified during iteration -> not all rules were removed. [4.3-0 8a3d128f6e] Bug #34154: Fix timeout in 43_proxy/05_custom_ACL_snippets_in_squidconf Package: ucs-test Version: 8.0.28-112A~4.3.0.201805021400 Branch: ucs_4.3-0 Scope: errata4.3-0
Test was still failing. I removed any need for an outside connection from the test. [4.3-0 9b7b028a0d] Bug #34154: Fix 43_proxy/05_custom_ACL_snippets_in_squidconf
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-squid_11.0.0-12A~4.3.0.201802061545.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/univention-squid_11.0.0-13A~4.3.0.201804201627.dsc @@ -1,6 +1,12 @@ -11.0.0-12A~4.3.0.201802061545 [Tue, 06 Feb 2018 15:45:35 +0100] Univention builddaemon <buildd@univention.de>: +11.0.0-13A~4.3.0.201804201627 [Fri, 20 Apr 2018 16:27:17 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +11.0.0-13 [Wed, 18 Apr 2018 12:36:45 +0200] Jürn Brodersen <brodersen@univention.de>: + + * Bug #34154: utf8 and latin1 basic auth wrapper + * Bug #46567: remove obsolete 'hierarchy_stoplist' directive + * Bug #46565: Use network address in network acl 11.0.0-12 [Tue, 06 Feb 2018 15:43:57 +0100] Felix Botner <botner@univention.de>:
Verified
<http://errata.software-univention.de/ucs/4.3/32.html>