Search squid archive

Re: Squid LDAP Digest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 16 Nov 2005, Winfried Kuiper wrote:
from http://www.squid-cache.org/mail-archive/squid-dev/200506/0031.html I know, there is a new digest authentication helper with ldap extension. 

Yes.


So, is it now possible to make a secure
communication between both,
a) client-squidserver
and
b) squidserver-ldapserver?


Sort of.


We want to use a secure authentication (I like digest more than NTLM)
at the squid proxy server for our students over WLAN. The proxy server
then should be able to talk on a secure way to the Windows LDAP Server.
Only works if you are willing to add a Digest HA1 attribute to each user having the Digest hashed password, or if you manage to provide Squid access to the plain text passwords stored in the directory. Neither is normally there in an ADS tree. 


But I don't like this solution, because I have to join the ADS tree.
There are often problems in the ADS tree and I don't want to become
a member of it.


Your choice.


Is the authentication helper found under
http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid3/helpers/digest_auth/pas
sword/
the solution for my problem?


It is the helper you speak of above.

But it does NOT allow Digest authentication to the Windows ADS passwords.


Do you know another solution for me?


My recommendation at the moment is to go for NTLM.


Can I use it with squid-2.5.STABLE6-6.15?


Yes, if you trust the Digest implementation there..


Where can I find more documentation for your new digest authentication
helper?
There is a man page included in the distribution, documenting most options. 

But you have to remember that this helper requires either

  a) Access to plain-text stored passwords
or
  b) Access to pre-hashed Digest HA1 hashes of the users passwords.

neither is normally stored in ADS.
It is possible to configure ADS to store "Reversibly encrypted" passwords, and is a requirement for Microsoft Digest implementation. This however can not be used by Squid at this time due to lack of information from Microsoft on how to integrate Digest with ADS in a sensible manner. 


Do you know a good book about squid and authentication helper?


The Squid book has some information. Not very much on Digest however.

Regards
Henrik
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux