On 19/04/2012 8:38 p.m., Christoph Mitasch wrote:
Hello,
we have stored usernames and secure password hashes in a central
OpenLDAP directory.
We want to use Squid as a proxy for clients and require them to login
using the central LDAP directory.
This login should work over an encrypted connection since it's not an
option to send the password unencrypted. Logging the username in the
squid logs is also essential.
Using a weak hashing algorithm like the digest authentication does,
isn't a good option either.
I found the following solution, but I'm not suire if that's a good way
to go.
http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script
Not relevant. That is for session-based authorization on intercepted
traffic. It is not authentication despite the authors use of the term.
Basic auth protocol with its clear-text credentials is more secure.
What can you recommend?
What does the backend you are using LDAP protocol to access capable of?
Kerberos is best you can get in the way of secure authentication these
days. Despite the limits it imposes on HTTP performance.
Alternatively you can try using a TLS connection to secure the transport
between the web clients and Squid.
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
Amos
