Re: [squid-users] Squid3 Samba3 PDC Authentication via LDAP -- help

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 14 Jun 2007 14:46:54 +0200

tor 2007-06-14 klockan 12:00 +0200 skrev Etienne Pretorius:
>
> So I assume that I can use this helper to see if I can authenticate in a
> plain-text way from the returned attribute value.

You might, IF the LDAP has the plain-text password stored, and
squid_digest_auth is allowed to retrieve this.

> As the other helpers seems to expect "bind" privileges to the LDAP
> server - something I am avoiding

squid_ldap_auth can operate in both modes.

> in
> my opinion a little privilege to any authentication scheme could lead to
> an hack of some sort in the future.

???

> Yes, I was trying to do a plain-text by entering my hashed password
> myself to see if it worked.

Then you should use squid_ldap_auth..

> [root@apollo:~] ldapsearch -b
> # etiennep, People, domain.co.za
> dn: uid=etiennep,ou=People,dc=domain,dc=co,dc=za
> objectClass: posixAccount
> sambaNTPassword: 83152D7BEBBCA0BF0E5E170005097A69

Translates to

squid_ldap_auth -b "ou=People,dc=domain,dc=co,dc=za" -u "uid" -U
sambaNTPassword -h ldap_server

if you want squid_ldap_auth to compare the password to the
sambaNTPassword attribute.

> As you can see I am able to do a anonymous bind and query the entry
> directly. I get the value for the attribute, but am I entering it
> correctly in the helper?

Not for the Digest auth helper. But it's correct for the Basic auth
helper.

> There is so little documentation on how to
> debug these issues....

squid_ldap_auth has a debug flag, making it tell you a bit of what it's
doing and how..

Regards
Henrik

Received on Thu Jun 14 2007 - 06:47:04 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT