Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote:
> Hi,
>
> Please, I need some help about Digest Authentication.
> We made a new server in our enterprise, using "Fedora 7" (64 bits).
> We have Squid 3, installed, and we need to authenticate our users in
> one of
> the DC's (Windows 2003 Server DC).
> The problem:
> We started configuring Squid with basic authentication; it worked
> fine, but
> we got the user's password through "Ethereal Software". This is a problem
> here, because we have a lot of students and teachers that we need to
> guarantee security to them and against them.
> So we tried "digest authentication", and our problem started. Our tests
> failed, and we didn't find any documentation about how to implement
> "digest_ldap_auth" to check the username and password.
Effectively you need to either store the Digest encrypted password, or
the plain text password on the LDAP server. It's a fine solution if you
use it from the start, but a bit of a pain to retrofit.
> We don't know if our idea about digest authentication is right or
> wrong. We
> imagine that we can simply authenticate in "Windows 2003 Server DC" (as
> basic authentication does), without store the user's passord into the
> Linux
> Server. Is that possible? If yes, where can I find instructions about
> how to
> use it?
> If you can help us about this, and even if our idea about digest
> authentication between Squid and Windows 2003 Server is wrong, it
> would be
> very nice.
> I would like to thank you for your time, and sorry for any inconvenience.
Given you have an Active Directory domain, you might be better served
authenticating directly against it:
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
Fedora 7 should come with a nifty utility called "authconfig", which
might eliminate much (but not all) of the text file fiddling that the
example requires.
>
> Regards,
>
> ________________________________
> Luis Claudio Botelho
> Chefe de Tecnologia e Redes
> Coordenadoria Geral de Informática
> Centro Universitário da FEI
> São Bernardo do Campo - SP
> 4353-2900 ramal 2117
>
> "The great secret of life is to spend it in something that endures
> more than itself"
> "In the box was written: Windows NT, 2000 or better. So I installed
> Linux"
> "Knowing is not enough, we must apply. Willing is not enough, we must
> do."
>
As a disclaimer, I have not used NTLM authentication with Squid, but I
have a CentOS 4 install that allows Cyrus-IMAPd to authenticate against ADS.
Chris
Received on Mon Feb 18 2008 - 16:04:56 MST
This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST