Re: [squid-users] Ldap secure user-authentication

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Sat, 31 Dec 2011 00:15:48 +0100

ons 2011-12-28 klockan 14:33 +1300 skrev Amos Jeffries:

> In order to move to the more secure auth methods usually requires a
> config setting in the LDAP to enable support for secure authentication
> tokens instead of a password. If you are lucky the LDAP server already
> has that turned on and you only need to add other authentication LDAP
> helpers to Squid.

To use Digest the LDAP tree needs to contain either

  a) plain-text passwords and allow the digest helper access to these
(very bad from a security perspective)

or

  b) Digest auth hashes specifically hashed for your proxy server realm,
and allow the Squid digest helper access to these. The needed password
hash is digest A1 hash which is MD5(login ":" realm ":" password) where
the realm is the realm configured on the proxy.

There is not many LDAP Servers that fall into category 'a' above for
obvious security reasons (but some do), and for 'b' you need to explicit
configure how the LDAP server stores passwords enabling digest hashing,
and have each user change their password after to allow the needed hash
to be stored in LDAP.

Note: The Digest A1 MD5 hash is security sensitive. If you add this to
your LDAP tree then also make sure the attribute is properly protected
only giving read access to Squid. As far as HTTP digest is concerned it
is equivalent to the password.

Regards
Henrik
Received on Fri Dec 30 2011 - 23:15:53 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 31 2011 - 12:00:02 MST