[squid-users] Re: Squid LDAP Digest

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 16 Nov 2005 20:15:38 +0100 (CET)

On Wed, 16 Nov 2005, Winfried Kuiper wrote:

> from http://www.squid-cache.org/mail-archive/squid-dev/200506/0031.html
> I know, there is a new digest authentication helper with ldap extension.

Yes.

> So, is it now possible to make a secure
> communication between both,
> a) client-squidserver
> and
> b) squidserver-ldapserver?

Sort of.

> We want to use a secure authentication (I like digest more than NTLM)
> at the squid proxy server for our students over WLAN. The proxy server
> then should be able to talk on a secure way to the Windows LDAP Server.

Only works if you are willing to add a Digest HA1 attribute to each user
having the Digest hashed password, or if you manage to provide Squid
access to the plain text passwords stored in the directory. Neither is
normally there in an ADS tree.

> But I don't like this solution, because I have to join the ADS tree.
> There are often problems in the ADS tree and I don't want to become
> a member of it.

Your choice.

> Is the authentication helper found under
> http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid3/helpers/digest_auth/pas
> sword/
> the solution for my problem?

It is the helper you speak of above.

But it does NOT allow Digest authentication to the Windows ADS passwords.

> Do you know another solution for me?

My recommendation at the moment is to go for NTLM.

> Can I use it with squid-2.5.STABLE6-6.15?

Yes, if you trust the Digest implementation there..

> Where can I find more documentation for your new digest authentication
> helper?

There is a man page included in the distribution, documenting most
options.

But you have to remember that this helper requires either

   a) Access to plain-text stored passwords
or
   b) Access to pre-hashed Digest HA1 hashes of the users passwords.

neither is normally stored in ADS.

It is possible to configure ADS to store "Reversibly encrypted" passwords,
and is a requirement for Microsoft Digest implementation. This however can
not be used by Squid at this time due to lack of information from
Microsoft on how to integrate Digest with ADS in a sensible manner.

> Do you know a good book about squid and authentication helper?

The Squid book has some information. Not very much on Digest however.

Regards
Henrik
Received on Wed Nov 16 2005 - 12:15:43 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST