GIGO . wrote:
> Authorizing users via LDAP group:
>
>
> It is listed in the squid_ldap_group man page that using -D binddn -W
> secret fle is to be preferred on -D binddn -w password. While it
> provides extra security then printing the password in plaintext
> inside squid.conf. Doesnt this query itself go in clear text over the
> network? If this is a risk how to handle this situation?
>
The reasoning goes that if the squid.conf gets compromised, then the
password itself is secured in a sub-file which hopefully is harder to
compromise.
It's very easy to compromise any content of squid.conf; the squid.conf
may be posted here or elsewhere wen asking for help, or the cachemgr
password which allows access to a full squid.conf dump may be compromised.
Using the -W option means that the secret file is only read internally
to the helper and used in the post-connection LDAP binding. It's up to
you whether you configure the LDAP helper to use TLS and secure the wire
or not.
>
> 2. Or perform this query over TLS? and how it can be done?
>
See the helper man page you already found for the relevant command line
arguments. The server portion someone else will need to help with.
>
> 3. Allowing anonymous queries can also be configured in Active
> directory however it does not look appropriate. May be it has no
> issues in the total private setup!
Thats a problem you need to decide on. I agree it does look suspect to
choose that if you want security.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1Received on Mon Apr 12 2010 - 11:56:22 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 12 2010 - 12:00:04 MDT