ons 2011-12-28 klockan 14:33 +1300 skrev Amos Jeffries: > In order to move to the more secure auth methods usually requires a > config setting in the LDAP to enable support for secure authentication > tokens instead of a password. If you are lucky the LDAP server already > has that turned on and you only need to add other authentication LDAP > helpers to Squid. To use Digest the LDAP tree needs to contain either a) plain-text passwords and allow the digest helper access to these (very bad from a security perspective) or b) Digest auth hashes specifically hashed for your proxy server realm, and allow the Squid digest helper access to these. The needed password hash is digest A1 hash which is MD5(login ":" realm ":" password) where the realm is the realm configured on the proxy. There is not many LDAP Servers that fall into category 'a' above for obvious security reasons (but some do), and for 'b' you need to explicit configure how the LDAP server stores passwords enabling digest hashing, and have each user change their password after to allow the needed hash to be stored in LDAP. Note: The Digest A1 MD5 hash is security sensitive. If you add this to your LDAP tree then also make sure the attribute is properly protected only giving read access to Squid. As far as HTTP digest is concerned it is equivalent to the password. Regards Henrik
