Bug 34154 - Squid ldap authentication issues with umlauts
Squid ldap authentication issues with umlauts
Product: UCS
Classification: Unclassified
Component: Squid
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Jürn Brodersen
Erik Damrose
Depends on:
Blocks: 46871
  Show dependency treegraph
Reported: 2014-02-19 09:54 CET by Erik Damrose
Modified: 2018-05-09 14:21 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.183
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2014-02-19 09:54:29 CET
Part of the original issue was still relevant with UCS 3.1. It should at least be checked again.

+++ This bug was initially created as a clone of Bug #20817 +++

Wie aus einem System Review hervorging sind Umlaute in Benuzternamen und Passwörter problematisch bei der Squid-Authentifizierung gegen das LDAP.

Hierzu gibt es bereits einen Thread und einen verlinkten Patch unter:

Wie der Squid-Dokumentation zu entnehmen ist, wurde der hierzu eingereichte Patch in Squid 3.2 eingefügt:

Damit lässt sich in der Squid Konfiguration der Parameter
"auth_param basic|digest utf8 on|off" setzen.
Comment 1 Michael Grandjean univentionstaff 2015-05-11 12:52:52 CEST
This is still true for UCS 4.0-1 with basic auth:

> squid/basicauth: yes
> squid/ntlmauth: no
> squid/krb5auth: <empty>

Tested with UCS 4.0-1 errata193, user "ünivention", Win7, IE 11:

> 1431339731.112     14 TCP_DENIED/407 3948 GET http://www.google.com/ %fcnivention NONE/- text/html

-> bad encoding

On the other hand, it work's fine with NTLM auth:

> squid/basicauth: no
> squid/ntlmauth: yes
> squid/krb5auth: <empty>

> 1431339893.091   7338 TCP_MISS/200 4385 CONNECT www.google.com:443 %c3%bcnivention DIRECT/ -

-> works

conclusion: umlauts are fine for proxy authentication as long as NTLM auth (or Kerberos) is used. If using basic auth, wrong umlaut encoding breaks the authentication.
Comment 2 Michael Grandjean univentionstaff 2015-05-11 12:58:26 CEST
The original bug report mentioned a patch for Squid 3.2 that should resolve the issue, but it seems as if it was also patched for 3.1 (which UCS 4.0 still relies on): http://www.squid-cache.org/Doc/config/auth_param/

Adding "auth_param basic utf8 on" to the Squid configuration makes authentication also work fine for basic auth:

> squid/basicauth: yes
> squid/ntlmauth: no
> squid/krb5auth: <empty>

> 1431341700.701    578 TCP_MISS/301 648 GET http://www.univention.de/ %fcnivention DIRECT/ text/html

-> The encoding still looks "wrong", but authentication works. Squid translates HTTP iso-latin-1 charset to UTF-8 in the background.
Comment 3 Florian Best univentionstaff 2015-05-11 13:20:26 CEST
It works if the password is send as base64 encoded UTF-8:
printf 'GET http://google.com HTTP/1.1\r\nHost: google.com\r\nProxy-Authorization: Basic /G5pdmVudGlvbjp1bml2ZW50aW9u\r\n\r\n' | nc localhost 3128
→ works

printf 'GET http://google.com HTTP/1.1\r\nHost: google.com\r\nProxy-Authorization: Basic w7xuaXZlbnRpb246dW5pdmVudGlvbg==\r\n\r\n' | nc localhost 3128
→ fails

As we internally store the password as UTF-8 and HTTP is a latin-1 protocol converting it via squid "auth_param basic utf8 on" (comment 2) seems to be correct.
Comment 4 Jürn Brodersen univentionstaff 2018-04-16 16:07:45 CEST
Both chrome and firefox (in the latest version) use utf8 during basic auth. IE and Edge do not...

Setting "auth_param basic utf8 on" breaks firefox and chrome. But fixes IE and Edge.

I guess it would be possible to patch squid to test the password with both encodings.

Tested with UCS 4.3
Comment 5 Jürn Brodersen univentionstaff 2018-04-19 10:42:27 CEST
I wrote a wrapper that tries to login with both encodings.
Does this need to be controlled via a ucr variable?

Comment 6 Erik Damrose univentionstaff 2018-04-19 10:58:17 CEST
As discussed, please add a UCR switch to revert to the old behavior.
Comment 7 Jürn Brodersen univentionstaff 2018-04-20 16:29:49 CEST
[4.3-0 0d33d53946] Bug #34154: utf8 and latin1 basic auth wrapper
[4.3-0 dadf63c5a1] Bug #34154: fix 43_proxy tests and speed up
[4.3-0 eaa56cc049] Bug #34154: Added testcase 43_proxy/07_basic_auth_encoding
[4.3-0 f29acb4192] Bug #34154: ucr variables for basic auth wrapper
[4.3-0 afdabe2d46] Bug #34154: 43_proxy fix test
[4.3-0 3ed5c55ed1] Bug #34154: changelog
[4.3-0 95037a48a6] Bug #34154: YAML

Package: univention-squid
Version: 11.0.0-13A~
Branch: ucs_4.3-0
Scope: errata4.3-0
Comment 8 Erik Damrose univentionstaff 2018-04-26 14:24:00 CEST
OK: New wrapper, activated by default
OK: reset to old behavior with ucr squid/basicauth/encoding_wrapper=no + squid restart
OK: ucs tests
OK: Login with chrome, firefox, IE
OK: yaml
Comment 9 Felix Botner univentionstaff 2018-04-26 14:40:08 CEST
43_proxy.05_custom_ACL_snippets_in_squidconf.test fails, has this something todo with this bug/commit?
Comment 10 Erik Damrose univentionstaff 2018-04-26 14:51:34 CEST
I don't think it has: Schlägt fehl seit 139 Builds (Seit #4 ). But lets give the assignee a chance to look at it.
Comment 11 Jürn Brodersen univentionstaff 2018-05-02 14:06:10 CEST
I'm not sure why mail.univention.de:80 is not reachable/slow? from jenkins. Port 80 is now redirected to a local server (21 and 443 were already redirected).

I had to make a small fix in "ucs-test/univention/testing/network.py"
revert_network_settings iterates over self.cleanup_rules which is modified during iteration -> not all rules were removed.

[4.3-0 8a3d128f6e] Bug #34154: Fix timeout in 43_proxy/05_custom_ACL_snippets_in_squidconf

Package: ucs-test
Version: 8.0.28-112A~
Branch: ucs_4.3-0
Scope: errata4.3-0
Comment 12 Jürn Brodersen univentionstaff 2018-05-04 11:30:19 CEST
Test was still failing. I removed any need for an outside connection from the test.

[4.3-0 9b7b028a0d] Bug #34154: Fix 43_proxy/05_custom_ACL_snippets_in_squidconf
Comment 13 Quality Assurance univentionstaff 2018-05-04 16:43:48 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-squid_11.0.0-12A~
+++ apt/ucs_4.3-0-errata4.3-0/source/univention-squid_11.0.0-13A~
@@ -1,6 +1,12 @@
-11.0.0-12A~ [Tue, 06 Feb 2018 15:45:35 +0100] Univention builddaemon <buildd@univention.de>:
+11.0.0-13A~ [Fri, 20 Apr 2018 16:27:17 +0200] Univention builddaemon <buildd@univention.de>:
   * UCS auto build. No patches were applied to the original source package
+11.0.0-13 [Wed, 18 Apr 2018 12:36:45 +0200] Jürn Brodersen <brodersen@univention.de>:
+  * Bug #34154: utf8 and latin1 basic auth wrapper
+  * Bug #46567: remove obsolete 'hierarchy_stoplist' directive
+  * Bug #46565: Use network address in network acl
 11.0.0-12 [Tue, 06 Feb 2018 15:43:57 +0100] Felix Botner <botner@univention.de>:
Comment 14 Erik Damrose univentionstaff 2018-05-07 11:58:03 CEST
Comment 15 Arvid Requate univentionstaff 2018-05-09 14:21:05 CEST