Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote:
Hi Amos Jeffries,
Thank you for your cooperation..
So I used one of the links you sent to me. And I configured in shell
scripts the tests, and it's ok.
But when I put into squid.conf, I can't authenticate. I tried but it
still asking me for a user and password in the web browser.
These are my lines in squid.conf:
==============================================
auth_param digest realm squid-valencia
auth_param digest children 5
auth_param digest program /usr/lib/squid/digest_ldap_auth -b
"ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A
"l" -D
"cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br"
-w "123456" -e -v 3 -h 172.16.0.13 -d
==============================================
I think that its right. And I don't know if my problem is now in another
line:
==============================================
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=feinet,dc=fei,dc=edu,dc=br" -D
"cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br"
-w "123456" -f
"(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))"
-h 172.16.0.13
==============================================
This external_acl_type works fine with basic, and I'm not sure that it's
the right way to use external_acl_type with digest authentication.
If you could help me once again, it would be very nice.
Sorry. I don't know LDAP myself. All I can do is post the links and hope
they are helpful.
Amos
Thank you again!
Regards,
Luis - FEI - Brazil
----- Original Message ----- From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes"
<lbotelho@xxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Monday, February 18, 2008 8:26 PM
Subject: Re: Digest Authentication in Squid through LDAP
in Windows 2003 DC
Hi,
Please, I need some help about Digest Authentication.
We made a new server in our enterprise, using "Fedora 7" (64 bits).
We have Squid 3, installed, and we need to authenticate our users in one
of
the DC's (Windows 2003 Server DC).
The problem:
We started configuring Squid with basic authentication; it worked fine,
but
we got the user's password through "Ethereal Software". This is a
problem
here, because we have a lot of students and teachers that we need to
guarantee security to them and against them.
So we tried "digest authentication", and our problem started. Our tests
failed, and we didn't find any documentation about how to implement
"digest_ldap_auth" to check the username and password.
We don't know if our idea about digest authentication is right or wrong.
We
imagine that we can simply authenticate in "Windows 2003 Server DC" (as
basic authentication does), without store the user's passord into the
Linux
Server. Is that possible? If yes, where can I find instructions about
how
to
use it?
If you can help us about this, and even if our idea about digest
authentication between Squid and Windows 2003 Server is wrong, it
would be
very nice.
I would like to thank you for your time, and sorry for any
inconvenience.
Regards,
There is a help how-to in the wiki
http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper
There are also some other auth mechanisms that may beuseful to you:
http://wiki.squid-cache.org/NegotiateAuthentication
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.