[Freeipa-users] Re: Squid proxy digest authentication

Mon, 04 Mar 2019 06:26:09 -0800 

On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:
Thanks Rob. Squid has a digest LDAP authentication helper. Adapting this guide (https://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication) to FreeIPA, squid digest authentication works fine. I'm just looking for a way to automate the process of generating digests every time users change their passwords. Thanks again. 
I'd recommend you to switch to
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap instead.

This has a benefit that a password check is done by binding to LDAP
instead of trying to fetch hashes and compare. In other words, it moves
actual authentication check to the LDAP server and makes the whole
problem to disappear.
Ed. 08:26, March 4, 2019, "Rob Crittenden via FreeIPA-users" <[1]freeipa-users@lists.fedorahosted.org>: Edward Valley via FreeIPA-users wrote:  Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP  backend for user authentication. Everything works fine while using basic  authentication. In order to use digest authentication I need users to  have an specific password storage scheme (MD5 of user:realm:password  combination). Can someone point me in the right direction on how to  accomplish it? Coding a new plugin? Extending an already existing one?  Configuring something? I've made some research and it seems everybody  integrating squid with FreeIPA is using kerberos, but that's something  I'll be doing lather. Thank you very much. Digest auth generally requires the password to be available in the clear (or reversible), try to avoid it. I think you'd have a hard time trying to configure IPA to allow it and you'd be climbing far out on a limb if you manage to succeed. rob _______________________________________________ FreeIPA-users mailing list -- [2]freeipa-users@lists.fedorahosted.org [0;30;47m To unsubscribe send an email to [3]freeipa-users-le...@lists.fedorahosted.org [0;30;47m Fedora Code of Conduct: [4]https://getfedora.org/code-of-conduct.html [0;30;47m List Guidelines: [5]https://fedoraproject.org/wiki/Mailing_list_guidelines [0;30;47m List Archives: [6]https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 

References

  Visible links
  1. mailto:freeipa-users@lists.fedorahosted.org
  2. mailto:freeipa-users@lists.fedorahosted.org
  3. mailto:freeipa-users-le...@lists.fedorahosted.org
  4. https://getfedora.org/code-of-conduct.html
  5. https://fedoraproject.org/wiki/Mailing_list_guidelines
  6. 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to