RE: [squid-users] digest auth and LDAP

We do get to use SSL because we are in acceleration mode, as your linked
message points out. A recent post suggested stunnel, but when I read more
into that it looked like something that had to be set up on all the client
pc's. Henrik's suggestion is a good one. We are implimenting squid to
replace an expensive software package with yearly fees associated with it. I
scoured this list, the web, got a fairly good understanding of what was
going on with squid but still couldn't complete our configuration. We payed
$1000 US for some assistance and are still way ahead of the game. We now
have an authenication issue, and need something that squid doesn't do out of
the box. The consultant we are working with says others have shown an
interest in this too, that what we want to do stands a good chance of being
useful enough to be added to squid3. For the 8-16hrs worth of work quoted to
us the price is right and it benefits all. I work for a good sized company,
so getting the OK for things like this isn't that hard. It depends on your
company's willingness to spend a little money for security, but you may find
the price is fairly cheap to get digest working for you. Of course it might
be $100,000 too but you won't know until you ask:)

To answer your question, in our case the client connects to squid via ssl
(accelerated mode). Squid uses BA to LDAP and then proxies to the origin
back end web servers. The only way the passwords could be obtained is
hacking into the ldap directory or putting a sniffer on the network segment
that is in the server room.

Chris Perreault

-----Original Message-----
From: Ronny Haryanto [mailto:ronnylist@haryan.to]
Sent: Tuesday, July 20, 2004 9:28 PM
To: squid-users@squid-cache.org
Subject: [squid-users] digest auth and LDAP

Hi all,

So I found this post from Henrik Nordstrom:
http://www.squid-cache.org/mail-archive/squid-users/200212/0005.html
and I quote: "On what format is the passwords stored in your LDAP directory?
Plain text or encrypted? If plain text then it is possible writing a secure
channel between Squid and your LDAP server to allow Digest authentication to
work. If the password is stored in your LDAP directory using SSHA or another
strong hashing scheme then integration of Digest authentication is not
mathematically possible."

Basically I don't want the auth information (login+password) flying around
in cleartext. So my options come down to using digest auth or SSL connection
to proxy. But after reading the post above I don't think I can use digest
auth because I don't want passwords to be stored (in LDAP) in cleartext
either, and I don't know if there are any browsers out there that talks SSL
to proxy for non-SSL proxied requests, even if there is one I don't think my
users would be very happy if we force them to use just one particular brand
of browser, but if there is any I'd like to know anyway.

Is there any other alternative for secure auth? Any suggestions?

Surely there must be some people here that are using LDAP auth, what do you
do in this case? Do you just leave it cleartext?

Thank you in advance for your time and attention.

Ronny
Received on Wed Jul 21 2004 - 05:46:34 MDT