On 2/05/2016 6:39 p.m., Sampei wrote: > I'm going to configure Squid 2.7 Stable3 to authenticate clients > (Windows XP/7/10) in Active Directory environment (Windows 2000 server). You have my most sincere condolences. Squid-3.5 is available for Windows. see <http://wiki.squid-cache.org/KnowledgeBase/Windows#Squid-3.5>. At least you can update that component. That is assuming Squid is running on a Windows box at all. There is no need for it to do so. You might find it better to run Squid on a non-Windows machine with Samba integration to the AD server. There are socket limitations imposed by Windows that can make Squid peak service x10 slower than on any other OS. > > I used directive "auth_param basic program /usr/lib/squid/ldap_auth -v3 > ..." but I read basic authentication is extremely weak and It transmits > user passwords as cleartext. Lets put it this way. Clear text password in Basic authentication is slightly more secure today than the encrypted NTLM implemented in that Windows 2000 server you are using. (And neither one is a good choice unless the transport itself is encrypted, ie TLS / HTTPS). > How can I transmit encrypted credentials? > Microsoft AD LDAP interface requires Basic authentication with cleartext passwords. It is a limit imposed by the Microsoft implementation of AD. Nobody I'm aware of has ever been able to adequately explain why, but use of secure credentials was never implemented for their LDAP interface. There are other AD interfaces than LDAP though, and they actually allow more secure credentials to be used. Look into Negotiate/Kerberos authentication. You will need that for the Win7 and Win10 clients anyway. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
