On Wed, 2002-11-06 at 02:13, Josef.Irnberger wrote:
> Hi Squid-developers,
>
> My name is Josef Irnberger and I am 23 years old.
>
> I study Telecommunicational Engeneerings at the University of Applied Sciences
> in Salzburg, Austria, and currently I am doing my Internship/Diploma Thesis at a
> large cd-manufacturing company in Salzburg.
>
> The topic of my Internship is "developement of a ldap-based Single Sign-On
> solution". The connection to squid is, that users should be allowed to surf the
> net based on their username/password (via ldap).
>
>
> Currently, I use Squid/3.0-DEVEL-20021021 and Simon Loaders ldap_auth program to
> archieve this. Ldap_auth currently uses ldap_simple_bind_s and I would like to
> write a program that is capable of authenticating users with SSL/TLS/DIGEST-MD5,
> but this doesn't make much sense at the moment, as SQUID uses
> plaintext/BASE64-encoding to transmit the username/password. Therefore I wanted
> to ask, if there is any possibility to extend this to some secure method.
>
> If you see any chance that this can be done with a reasonable (small) amount of
> work, I'd like to offer you to implement this myself, but please take into
> account, that I am _not_ an ubercoder (yet?).
Well, the digest authentication code uses MD5 to prevent password
sniffing (see src/auth/digest, and also rfc 2617). Another option that
may be of interest is implementing GSSAPI SPNEGO into squid - an I-D
exists for this:
http://www.ietf.org/internet-drafts/draft-brezak-spnego-http-04.txt
Digest is supported by all modern browsers. 'negotiate' by all MS
browsers since 3.0.
Cheers,
Rob
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:18:38 MST