Re: [squid-users] Encrypted authentication and LDAP.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 24 Aug 2004 15:23:36 +0200 (CEST)

On Tue, 24 Aug 2004, Jean-Michel Bonnefond wrote:

> -Use of LDAPS is now supported in squid, starting from version 2.5 Stable5
> which should resolv the encryption problem between squid and Active
> directory.

Correct. But this does not solve client->Squid.

> -Using Digest authentication method between client and squid server couldn't
> be used simultaneously with another authentication scheme like Ldaps.

yes it can, but there is no other backend password databases for digest
authentication than a local digest password file. digest authentication
can not use the AD directory, not yet anyway.

> -Using stunnel (or a similar programm) to encrypt traffic between client and
> squid and then use LDAPS auth method between squid and ADS. this implies to
> install a soft on all client which is not a really possible solution for me.

Another option is to use a client which is capable of SSL proxy
connections. Reportedly the latest Mozilla versions is capable of this but
I have not verified... checking.. can not find any sign of such support in
Mozilla 1.7.2, at least not visibly.

> -Using squid reverse proxy/Acceleration mode to encrypt all the traffic
> between client and squid server (including authentication) and then use
> mod_auth LDAP over a secure channel. I'm not sure this is possible ?! Can
> really squid run as cache server for all the web contents (indifferently http
> or https) and encrypt all the traffic between client and squid with SSL?

No.

> -Henrik Nordstrom suggest that it might be possible to write a secure
> channel between Squid and an LDAPS server to allow Digest
> authentication to work, if the password are stored in cleartext in the ADS
> (or if at least there is a known copy of the clear password somewhere on the
> squid server), but I don't have any idea of how this can be implemented.
> Plus, I know that the password are encrypted in the society directory, which
> seem to hardness the task.

There is also a Digest interface to MS ADS but this is not very well
documented and the little there is is in large parts conflicting. And in
addition the Digest implementation in Squid is not well suited for
connecting to other Digest providers in the way it seems most external
Digest servers is done.

> So any suggestion about how I can have an encrypted authentication traffic
> between client and squid and then use LDAPS to an ADS would be greatly
> appreciate :)

You could use NTLM via Samba-3 after joining the ADS tree.

Regards
Henrik
Received on Tue Aug 24 2004 - 07:23:38 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT