RE: [squid-users] plugin to secure authentication

From: Paolo Biancolli <PAOLO.BIANCOLLI@dont-contact.us>
Date: Mon, 10 Apr 2006 15:59:35 +0200

I have manged to get the digest_pw_auth program working properly without any Problems.

You mentioned I need at least the -A option to the line in squid.conf. The ldap database I am authenticating against is a MS 2003 active directory. Do I specify the password attribute which contains the users password (unicodePwd attribute in active directory) i.e.

auth_param digest program /usr/local/squid/libexec/digest_ldap_auth -A "unicodePwd" -e -b "OU=UserAccounts,OU=USERS,DC=MY,DC=DOMAIN,DC=AC,D
C=ZA" -F "uid=%s" -D "Cn=User_Name,OU=ServiceAccount,DC=MY,DC=DOMAIN,DC=AC,DC=ZA" -w "PassWord" -h 146.141.x.x -p 389 -v 3 -Z

Many thanks
Paolo Biancolli

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: 10 April 2006 11:01 AM
To: Paolo Biancolli
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] plugin to secure authentication

mån 2006-04-10 klockan 09:26 +0200 skrev Paolo Biancolli:
> Thanks for that, I have installed the helper but am getting stuck on
> the configuration side. Could you point me to some documentation which
> explains how to configure squid.conf.

First of all you need an understanding of Digest authentication. It is quite different from Basic in that there is no password exchange.

The role of a digest helper is to query the LDAP directory returing to Squid either

  a) A plain text password (which gets hashed automatically by the
helper)

  b) A Digest hashed password

Digest hashed passwords can be created with for example the Apache htdigest tool, or anything else implementing the Digest passoword hash.
It's a simple MD5(username ":" realm ":" password)

I would recommend starting by using the local text file digest_pw_auth program before attempting to use the LDAP variant. The functionality of the two is the same, only that the LDAP variant queries the LDAP directory for the required information instead of reading a local text file.

> auth_param digest program /usr/local/squid/libexec/digest_ldap_auth -e
> -b "OU=UserAccounts,OU=Users,DC=MY,DC=DOMAIN,DC=AC,DC=ZA" -F "uid=%s"
> -D "Cn=User_Name,OU=ServiceAccount,DC=MY,DC=DOMAIN,DC=AC,DC=ZA" -w
> "Pass_Word" -h 146.141.x.x -p 636 -v 3 -Z

You need at least a -A option telling the helper the LDAP attribute where it can find the hashed password details in the users LDAP record.
As you have indicated that the passwords should be "encrypted" the form stored in this attribute should be

realm:hashed_password

i.e. if the realm is "Squid HTTP Proxy" and the login is test with password testing

Squid HTTP Proxy:3c530cc74ebef299304610294b8fdbc9

Regards
Henrik
Received on Mon Apr 10 2006 - 07:59:59 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT