Re: [squid-users] SSL or digest & LDAP

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Wed, 09 Aug 2006 17:01:58 +0200

On Wed, 2006-08-09 at 18:04 +0400, Vladimir wrote:

> While searching squid mail archive, I understood that client
> authentication with SSL encryption is not possible for now, because
> browsers still don`t support this function

correct

> and it is impossible to
> connect LDAP server via "squid_ldap_auth" or "squid_ldap_group" using
> digest user authentication too.

squid_ldap_group works fine, but it relies on authentication being
already done.

in 2.6 there is a helper allowing you to store the Digest hashes (or
plain text passwords) in your LDAP directory for Squid to use when
validating the Digest credentials. But it requires custom Digest
password hash attributes or plain text passwords to be added to the LDAP
directory.

There still is not any means of using Digest authentication connecting
to a LDAP directory without explicit Digest password hashes, and I doubt
this will ever be possible due to technical restrictions.

What may be possible in future is to use RADIUS with Digest support to
validate the Digest authentication. But some changes is needed in Squid
before this can happen (in addition to having a RADIUS server supporting
Digest authentication).

So for now, LDAP storing Digest password hashes (or plain text
passwords) is the best option for large scale Digest authentication.

For small scale setups a local Digest password file (either plaintext or
hashed) works.

Regards
Henrik
Received on Wed Aug 09 2006 - 09:01:39 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT