On 19/04/2012 8:38 p.m., Christoph Mitasch wrote:
> Hello,
>
> we have stored usernames and secure password hashes in a central
> OpenLDAP directory.
>
> We want to use Squid as a proxy for clients and require them to login
> using the central LDAP directory.
> This login should work over an encrypted connection since it's not an
> option to send the password unencrypted. Logging the username in the
> squid logs is also essential.
>
> Using a weak hashing algorithm like the digest authentication does,
> isn't a good option either.
>
> I found the following solution, but I'm not suire if that's a good way
> to go.
> http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script
Not relevant. That is for session-based authorization on intercepted
traffic. It is not authentication despite the authors use of the term.
Basic auth protocol with its clear-text credentials is more secure.
>
> What can you recommend?
What does the backend you are using LDAP protocol to access capable of?
Kerberos is best you can get in the way of secure authentication these
days. Despite the limits it imposes on HTTP performance.
Alternatively you can try using a TLS connection to secure the transport
between the web clients and Squid.
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
Amos
Received on Fri Apr 20 2012 - 14:22:27 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 25 2012 - 12:00:03 MDT