RE: [squid-users] plugin to secure authentication

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 10 Apr 2006 11:00:43 +0200

mån 2006-04-10 klockan 09:26 +0200 skrev Paolo Biancolli:
> Thanks for that, I have installed the helper but am getting stuck on the
> configuration side. Could you point me to some documentation which
> explains how to configure squid.conf.

First of all you need an understanding of Digest authentication. It is
quite different from Basic in that there is no password exchange.

The role of a digest helper is to query the LDAP directory returing to
Squid either

  a) A plain text password (which gets hashed automatically by the
helper)

  b) A Digest hashed password

Digest hashed passwords can be created with for example the Apache
htdigest tool, or anything else implementing the Digest passoword hash.
It's a simple MD5(username ":" realm ":" password)

I would recommend starting by using the local text file digest_pw_auth
program before attempting to use the LDAP variant. The functionality of
the two is the same, only that the LDAP variant queries the LDAP
directory for the required information instead of reading a local text
file.

> auth_param digest program /usr/local/squid/libexec/digest_ldap_auth -e
> -b "OU=UserAccounts,OU=Users,DC=MY,DC=DOMAIN,DC=AC,DC=ZA" -F "uid=%s" -D
> "Cn=User_Name,OU=ServiceAccount,DC=MY,DC=DOMAIN,DC=AC,DC=ZA" -w
> "Pass_Word" -h 146.141.x.x -p 636 -v 3 -Z

You need at least a -A option telling the helper the LDAP attribute
where it can find the hashed password details in the users LDAP record.
As you have indicated that the passwords should be "encrypted" the form
stored in this attribute should be

realm:hashed_password

i.e. if the realm is "Squid HTTP Proxy" and the login is test with
password testing

Squid HTTP Proxy:3c530cc74ebef299304610294b8fdbc9

Regards
Henrik

Received on Mon Apr 10 2006 - 03:00:47 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT