Henrik Nordstrom wrote:
ons 2007-06-13 klockan 17:11 +0200 skrev Etienne Pretorius:
Hello List,
I have a slight problem. I need to squid to authenticate against a samba
PDC with an LDAP backend. I would like it to do the Authentication
without the help of SAMBA and to get the password right out of the LDAP
server and unhash.
Should be doable, but you'll need to implement the hash function to
compare the passwords.. unless Samba stores the plaintext password in
their password backend.. (which I doubt..)
I am first trying to see if I can Authenticate via plain-text
compassions without the hashed implementation so
that I know that I am on the correct track.
Would this be the helper I am looking for (squid3):
Usage: digest_pw_auth(LDAP_backend) -b basedn -f filter [options]
ldap_server_name
That helper is for the Digest authentication scheme. Requires either
plain-text or Digest realm specific hashed passwords in the backend.
So I assume that I can use this helper to see if I can authenticate in a
plain-text way from the returned attribute value.
As the other helpers seems to expect "bind" privileges to the LDAP
server - something I am avoiding, in
my opinion a little privilege to any authentication scheme could lead to
an hack of some sort in the future.
And could someone please provide me with an example of its usage.... as
I am having no luck here testing it.
[root@xxxxx:/usr/lib/squid3] ./digest_ldap_auth -R -b
"ou=People,dc=domain,dc=co,dc=za" -u "uid" -A sambaNTPassword -h
ldap_server
etiennep 83152D7BEBBCA0BF0E5E170005097A69
ERR
Are you really using 83152D7BEBBCA0BF0E5E170005097A69 as your password?
Awfully long string to type..
Also please note that using the -A option retreives that attribute from
the LDAP in order to compare with the supplied password. To use this the
user squid_ldap_auth binds as must have read access on the attribute.
Any password related attributes usually has very strict access controls
in most LDAP servers..
Yes, I was trying to do a plain-text by entering my hashed password
myself to see if it worked.
What do your user object look like in the LDAP tree?
Regards
Henrik
[root@apollo:~] ldapsearch -b
"uid=etiennep,ou=People,dc=domain,dc=co,dc=za" -x
# extended LDIF
#
# LDAPv3
# base <uid=etiennep,ou=People,dc=domain,dc=co,dc=za> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# etiennep, People, domain.co.za
dn: uid=etiennep,ou=People,dc=domain,dc=co,dc=za
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
sambaHomeDrive: X:
sambaDomainName: CPT-OFFICE
sambaAcctFlags: [XU ]
displayName: etiennep
sambaHomePath: \\APOLLO\users\etiennep
sambaProfilePath: \\APOLLO\profiles\etiennep
sambaLMPassword: 3E156727B5CBF95B25AD3B83FA6627C7
sambaNTPassword: 83152D7BEBBCA0BF0E5E170005097A69
sambaPwdLastSet: 1176375582
shadowWarning: 10
shadowInactive: 10
shadowMin: 1
shadowMax: 365
homeDirectory: /home/etiennep
loginShell: /bin/false
uid: etiennep
cn: Etienne Pretorius
uidNumber: 2005
sn: Pretorius
givenName: Etienne
title: Network Administrator
employeeType: Employee
sambaSID: S-1-5-21-3139382641-418891753-366912486-5010
sambaPrimaryGroupSID: S-1-5-21-3139382641-418891753-366912486-513
gidNumber: 513
manager:
As you can see I am able to do a anonymous bind and query the entry
directly. I get the value for the attribute, but am I entering it
correctly in the helper? There is so little documentation on how to
debug these issues....
Thank you,
Etienne Pretorius
