On 5/07/2013 4:57 p.m., Beto Moreno wrote:
> Hi.
>
> I setup squid to authenticate with windows 2008R2 AD native using
>
> squid_ldap_auth
>
> My question is regarding of the user we use in the flag binddn, all
> the docs I had read just tell:
>
> "minimal privileges"
>
> I create a normal user, but squid_ldap_auth reject the user:
>
> squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
>
> But once I change the user to a domain admin, it works.
>
> Them windows is asking for a user with a special rights, some could
> clear my brain?
That user is *not* a normal account but the account the Squid helper
uses to login to AD itself to lookup the clients credentials with -
validating user:password and user:group pairs. That is the only task it
does. The minimum necessary privileges for that one action and the user
account to remain usable may be changed by the AD authors without
warning between patches/servicepacks to AD, or you may be using one of
the non-AD alternative software with entirely different configuration.
Either way it is difficult to document properly thus the wording
"minimal privileges" is a bit of a copout, but clear enough.
** It is important that they be _minimal_ priviliges on that user
because they are left hanging around in plain-text form in your
squid.conf and also the systems running-process listings which anyone
can view.
Which doc did you read? the helper manual document as far back as I can
find documents it with a line indicating the parameter usage followed by
that "minimal associated privileges" notice.
Amos
Received on Fri Jul 05 2013 - 05:45:32 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 05 2013 - 12:00:11 MDT