I got your point, I have to find out what group the user need to be
for this, I let u know asap.
Now that say:
"The minimum necessary privileges for that one action and the user
account to remain usable may be changed by the AD authors without
warning between patches/servicepacks to AD, or you may be using one of
the non-AD alternative software with entirely different configuration.
Either way it is difficult to document properly thus the wording
"minimal privileges" is a bit of a copout, but clear enough"
I got why none of the doc touch the user special privileges settings,
need to go with windows users to ask for.
Let me investigate, thanks.
On Thu, Jul 4, 2013 at 10:45 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 5/07/2013 4:57 p.m., Beto Moreno wrote:
>>
>> Hi.
>>
>> I setup squid to authenticate with windows 2008R2 AD native using
>>
>> squid_ldap_auth
>>
>> My question is regarding of the user we use in the flag binddn, all
>> the docs I had read just tell:
>>
>> "minimal privileges"
>>
>> I create a normal user, but squid_ldap_auth reject the user:
>>
>> squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
>>
>> But once I change the user to a domain admin, it works.
>>
>> Them windows is asking for a user with a special rights, some could
>> clear my brain?
>
>
> That user is *not* a normal account but the account the Squid helper uses to
> login to AD itself to lookup the clients credentials with - validating
> user:password and user:group pairs. That is the only task it does. The
> minimum necessary privileges for that one action and the user account to
> remain usable may be changed by the AD authors without warning between
> patches/servicepacks to AD, or you may be using one of the non-AD
> alternative software with entirely different configuration. Either way it is
> difficult to document properly thus the wording "minimal privileges" is a
> bit of a copout, but clear enough.
>
> ** It is important that they be _minimal_ priviliges on that user because
> they are left hanging around in plain-text form in your squid.conf and also
> the systems running-process listings which anyone can view.
>
>
> Which doc did you read? the helper manual document as far back as I can find
> documents it with a line indicating the parameter usage followed by that
> "minimal associated privileges" notice.
>
> Amos
Received on Fri Jul 05 2013 - 16:42:16 MDT
This archive was generated by hypermail 2.2.0 : Sun Jul 07 2013 - 12:00:07 MDT