Search squid archive

Re: squid_ldap_auth windows 2008 binddn user privileges?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/07/2013 4:57 p.m., Beto Moreno wrote:
Hi.

I setup squid to authenticate with windows 2008R2 AD native using

squid_ldap_auth

My question is regarding of the user we use in the flag binddn, all
the docs I had read just tell:

"minimal privileges"

I create a normal user, but squid_ldap_auth reject the user:

squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'

But once I change the user to a domain admin, it works.

Them windows is asking for a user with a special rights, some could
clear my brain?

That user is *not* a normal account but the account the Squid helper uses to login to AD itself to lookup the clients credentials with - validating user:password and user:group pairs. That is the only task it does. The minimum necessary privileges for that one action and the user account to remain usable may be changed by the AD authors without warning between patches/servicepacks to AD, or you may be using one of the non-AD alternative software with entirely different configuration. Either way it is difficult to document properly thus the wording "minimal privileges" is a bit of a copout, but clear enough.

** It is important that they be _minimal_ priviliges on that user because they are left hanging around in plain-text form in your squid.conf and also the systems running-process listings which anyone can view.


Which doc did you read? the helper manual document as far back as I can find documents it with a line indicating the parameter usage followed by that "minimal associated privileges" notice.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux