GIGO . wrote:
Authorizing users via LDAP group: It is listed in the squid_ldap_group man page that using -D binddn -W secret fle is to be preferred on -D binddn -w password. While it provides extra security then printing the password in plaintext inside squid.conf. Doesnt this query itself go in clear text over the network? If this is a risk how to handle this situation?
The reasoning goes that if the squid.conf gets compromised, then the password itself is secured in a sub-file which hopefully is harder to compromise.
It's very easy to compromise any content of squid.conf; the squid.conf may be posted here or elsewhere wen asking for help, or the cachemgr password which allows access to a full squid.conf dump may be compromised.
Using the -W option means that the secret file is only read internally to the helper and used in the post-connection LDAP binding. It's up to you whether you configure the LDAP helper to use TLS and secure the wire or not.
2. Or perform this query over TLS? and how it can be done?
See the helper man page you already found for the relevant command line arguments. The server portion someone else will need to help with.
3. Allowing anonymous queries can also be configured in Active directory however it does not look appropriate. May be it has no issues in the total private setup!
Thats a problem you need to decide on. I agree it does look suspect to choose that if you want security.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
