If I remove the NTLM and Kerberos authentication, is there a way to test the basic LDAP authentication in the script from the command line? -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: Wednesday, January 13, 2016 11:05 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Testing Kerberos and LDAP connections On 14/01/2016 4:36 a.m., dolson@xxxxxxxxx wrote: > Is there a way to test the following lines from my squid.conf file to make sure the connections are working correctly? > > ### negotiate kerberos and ntlm authentication auth_param negotiate > program /usr/local/bin/negotiate_wrapper -d --ntlm > /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos > /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param > negotiate children 10 auth_param negotiate keep_alive off > > ### pure ntlm authentication > auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC auth_param ntlm > children 10 auth_param ntlm keep_alive off > > ### provide basic authentication via ldap for clients not > authenticated via kerberos/ntlm auth_param basic program > /usr/lib/squid3/basic_ldap_auth -R -b "dc=ihcrc,dc=org" -D > squid@xxxxxxxxx -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h > srv-dataserver2.ihcrc.org auth_param basic children 10 auth_param > basic realm Internet Proxy auth_param basic credentialsttl 1 minute > > When I run them at the command lines, minus the statements from Children down, I just get a huge print out of some man pages. I'm trying to identify why I can't get AD authentication to work correctly on my Squid server, so I'm trying to test each area of the squid.conf file independently. > They do not work. The --* parameters you are passing to ntlm_smb_lm_auth are actually parameters for the Samba ntlm_auth helper. If you need NTLM then you should install that Samba helper and use it instead. FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan authentication. Thats a form of auth for Microsoft Network (circa 1970-1980's) with terrible encryption. SMB LM crypto is so weak/bad that the Squid helper is actually decrypting it in realtime to extract the user:password and translating them into Basic auth queries against your AD servers. Ironically Basic auth is more secure. *** Any software which works with this helper is *very* insecure. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
