tor 2007-06-14 klockan 12:00 +0200 skrev Etienne Pretorius: > > So I assume that I can use this helper to see if I can authenticate in a > plain-text way from the returned attribute value. You might, IF the LDAP has the plain-text password stored, and squid_digest_auth is allowed to retrieve this. > As the other helpers seems to expect "bind" privileges to the LDAP > server - something I am avoiding squid_ldap_auth can operate in both modes. > in > my opinion a little privilege to any authentication scheme could lead to > an hack of some sort in the future. ??? > Yes, I was trying to do a plain-text by entering my hashed password > myself to see if it worked. Then you should use squid_ldap_auth.. > [root@apollo:~] ldapsearch -b > # etiennep, People, domain.co.za > dn: uid=etiennep,ou=People,dc=domain,dc=co,dc=za > objectClass: posixAccount > sambaNTPassword: 83152D7BEBBCA0BF0E5E170005097A69 Translates to squid_ldap_auth -b "ou=People,dc=domain,dc=co,dc=za" -u "uid" -U sambaNTPassword -h ldap_server if you want squid_ldap_auth to compare the password to the sambaNTPassword attribute. > As you can see I am able to do a anonymous bind and query the entry > directly. I get the value for the attribute, but am I entering it > correctly in the helper? Not for the Digest auth helper. But it's correct for the Basic auth helper. > There is so little documentation on how to > debug these issues.... squid_ldap_auth has a debug flag, making it tell you a bit of what it's doing and how.. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
