Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC

Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote:
> Hi Amos Jeffries,
> Thank you for your cooperation..
>
> So I used one of the links you sent to me. And I configured in shell
> scripts the tests, and it's ok.
> But when I put into squid.conf, I can't authenticate. I tried but it
> still asking me for a user and password in the web browser.
>
> These are my lines in squid.conf:
> ==============================================
> auth_param digest realm squid-valencia
> auth_param digest children 5
> auth_param digest program /usr/lib/squid/digest_ldap_auth -b
> "ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A
> "l" -D
> "cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br"
> -w "123456" -e -v 3 -h 172.16.0.13 -d
> ==============================================
>
> I think that its right. And I don't know if my problem is now in another
> line:
>
> ==============================================
> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
> -b "dc=feinet,dc=fei,dc=edu,dc=br" -D
> "cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br"
> -w "123456" -f
> "(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))"
> -h 172.16.0.13
> ==============================================
>
> This external_acl_type works fine with basic, and I'm not sure that it's
> the right way to use external_acl_type with digest authentication.
>
> If you could help me once again, it would be very nice.

Sorry. I don't know LDAP myself. All I can do is post the links and hope
they are helpful.

Amos

>
> Thank you again!
>
> Regards,
>
> Luis - FEI - Brazil
>
>
>
> ----- Original Message ----- From: "Amos Jeffries" <squid3@treenet.co.nz>
> To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes"
> <lbotelho@fei.edu.br>
> Cc: <squid-users@squid-cache.org>
> Sent: Monday, February 18, 2008 8:26 PM
> Subject: Re: [squid-users] Digest Authentication in Squid through LDAP
> in Windows 2003 DC
>
>
>>> Hi,
>>>
>>> Please, I need some help about Digest Authentication.
>>> We made a new server in our enterprise, using "Fedora 7" (64 bits).
>>> We have Squid 3, installed, and we need to authenticate our users in one
>>> of
>>> the DC's (Windows 2003 Server DC).
>>> The problem:
>>> We started configuring Squid with basic authentication; it worked fine,
>>> but
>>> we got the user's password through "Ethereal Software". This is a
>>> problem
>>> here, because we have a lot of students and teachers that we need to
>>> guarantee security to them and against them.
>>> So we tried "digest authentication", and our problem started. Our tests
>>> failed, and we didn't find any documentation about how to implement
>>> "digest_ldap_auth" to check the username and password.
>>> We don't know if our idea about digest authentication is right or wrong.
>>> We
>>> imagine that we can simply authenticate in "Windows 2003 Server DC" (as
>>> basic authentication does), without store the user's passord into the
>>> Linux
>>> Server. Is that possible? If yes, where can I find instructions about
>>> how
>>> to
>>> use it?
>>> If you can help us about this, and even if our idea about digest
>>> authentication between Squid and Windows 2003 Server is wrong, it
>>> would be
>>> very nice.
>>> I would like to thank you for your time, and sorry for any
>>> inconvenience.
>>>
>>> Regards,
>>>
>>
>> There is a help how-to in the wiki
>> http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper
>>
>>
>> There are also some other auth mechanisms that may beuseful to you:
>>
>> http://wiki.squid-cache.org/NegotiateAuthentication
>>
>> http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
>>
>> Amos
>>
>>
>
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.