Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote:
Hi,
Please, I need some help about Digest Authentication.
We made a new server in our enterprise, using "Fedora 7" (64 bits).
We have Squid 3, installed, and we need to authenticate our users in
one of
the DC's (Windows 2003 Server DC).
The problem:
We started configuring Squid with basic authentication; it worked
fine, but
we got the user's password through "Ethereal Software". This is a problem
here, because we have a lot of students and teachers that we need to
guarantee security to them and against them.
So we tried "digest authentication", and our problem started. Our tests
failed, and we didn't find any documentation about how to implement
"digest_ldap_auth" to check the username and password.
Effectively you need to either store the Digest encrypted password, or
the plain text password on the LDAP server. It's a fine solution if you
use it from the start, but a bit of a pain to retrofit.
We don't know if our idea about digest authentication is right or
wrong. We
imagine that we can simply authenticate in "Windows 2003 Server DC" (as
basic authentication does), without store the user's passord into the
Linux
Server. Is that possible? If yes, where can I find instructions about
how to
use it?
If you can help us about this, and even if our idea about digest
authentication between Squid and Windows 2003 Server is wrong, it
would be
very nice.
I would like to thank you for your time, and sorry for any inconvenience.
Given you have an Active Directory domain, you might be better served
authenticating directly against it:
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
Fedora 7 should come with a nifty utility called "authconfig", which
might eliminate much (but not all) of the text file fiddling that the
example requires.
Regards,
________________________________
Luis Claudio Botelho
Chefe de Tecnologia e Redes
Coordenadoria Geral de Informática
Centro Universitário da FEI
São Bernardo do Campo - SP
4353-2900 ramal 2117
"The great secret of life is to spend it in something that endures
more than itself"
"In the box was written: Windows NT, 2000 or better. So I installed
Linux"
"Knowing is not enough, we must apply. Willing is not enough, we must
do."
As a disclaimer, I have not used NTLM authentication with Squid, but I
have a CentOS 4 install that allows Cyrus-IMAPd to authenticate against ADS.
Chris