tor 2006-12-07 klockan 17:10 +0100 skrev kemiche.carceller@free.fr:
> I'm trying to set up a squid proxy with a secure LDAP authentication (secure
> communication between browser (firefox) and squid also).
Difficult, as neither MSIE or Firefox supports SSL encrypted proxy
connections..
> My LDAP server stores passwords in MD5 scheme for the moment, an will store
> passwords in sha1 scheme in a few weeks.
> I'm using squid 2.6 STABLE 5-1 and openldap 2.3.27-4 on Fedora core 6.
I would recommend you to investigate using Digest authentication.
Requires the passwords to be stored in a Digest hash in addition to the
MD5/SHA1 system logon hashes.
> I tried to use the digest_ldap_auth helper, but i understood that it was working
> only with plaintext passwords stored in LDAP server. I saw that it was possible
> to use digest_ldap_auth with HHA1 LDAP password.
Correct. You need either plain text or Digest HHA1 hashes.
> Is there any solution to use digest_ldap_auth with MD5 or SHA1 ldap password, or
> is there any other solution to secure communications between browser and squid
> (no plaintext passwords ?)
You could use ssltunnel or another SSL wrapper on the clients to wrap
the proxy connections in SSL before they are sent to Squid, while
waiting for the browsers to support encrypted proxy connections.
Or reinvestigate the use of Digest.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST