Hi all,
I would like to secure all the authentication traffic between the final client
and an LDAP Active Directory server via squid.
After a lot of research in the list archive and other sources, it appear that
(tell me if I'm wrong):
-Use of LDAPS is now supported in squid, starting from version 2.5 Stable5
which should resolv the encryption problem between squid and Active
directory.
-Using Digest authentication method between client and squid server couldn't
be used simultaneously with another authentication scheme like Ldaps.
The solutions that has been proposed are :
-Using stunnel (or a similar programm) to encrypt traffic between client and
squid and then use LDAPS auth method between squid and ADS. this implies to
install a soft on all client which is not a really possible solution for me.
-I've seen that someone used squid reverse proxy/Acceleration mode to encrypt
all the traffic between client and squid server (including authentication)
and then use mod_auth LDAP over a secure channel, but I'm not sure this is
possible ?! Can really squid run as cache server for all the web contents
(indifferently http or https) and encrypt all the traffic between client and
squid with SSL?
-Henrik Nordstrom suggest that it might be possible to write a secure channel
between Squid and an LDAPS server to allow Digest authentication to work, if
the password are stored in cleartext in the ADS (or if at least there is a
known copy of the clear password somewhere on the squid server), but I don't
have any idea of how this can be implemented. Plus, I know that the password
are encrypted in the society directory, which seem to hardness the task.
So any suggestion about how I can have an encrypted authentication traffic
between client and squid and then use LDAPS to an ADS would be greatly
appreciate :)
Jean-Michel.
Received on Tue Aug 24 2004 - 09:57:29 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT