[squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Regards, ____ Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 "The great secret of life is to spend it in something that endures more than itself" "In the box was written: Windows NT, 2000 or better. So I installed Linux" "Knowing is not enough, we must apply. Willing is not enough, we must do."
Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Hi Amos Jeffries, Thank you for your cooperation.. So I used one of the links you sent to me. And I configured in shell scripts the tests, and it's ok. But when I put into squid.conf, I can't authenticate. I tried but it still asking me for a user and password in the web browser. These are my lines in squid.conf: == auth_param digest realm squid-valencia auth_param digest children 5 auth_param digest program /usr/lib/squid/digest_ldap_auth -b "ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A "l" -D "cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -e -v 3 -h 172.16.0.13 -d == I think that its right. And I don't know if my problem is now in another line: == external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=feinet,dc=fei,dc=edu,dc=br" -D "cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -f "(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))" -h 172.16.0.13 == This external_acl_type works fine with basic, and I'm not sure that it's the right way to use external_acl_type with digest authentication. If you could help me once again, it would be very nice. Thank you again! Regards, Luis - FEI - Brazil ----- Original Message - From: "Amos Jeffries" <[EMAIL PROTECTED]> To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes" <[EMAIL PROTECTED]> Cc: Sent: Monday, February 18, 2008 8:26 PM Subject: Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Regards, There is a help how-to in the wiki http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper There are also some other auth mechanisms that may beuseful to you: http://wiki.squid-cache.org/NegotiateAuthentication http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM Amos
[squid-users] squid_ldap_group - doubt
Hi, I'm trying to test squid_ldap_group. The scenario is: dn: CN=lbotelho,OU=Funcionarios,OU=Usuarios,DC=FEINET,DC=FEI,DC=EDU,DC=BR objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: lbotelho memberOf: CN=funcionarios,CN=Users,DC=FEINET,DC=FEI,DC=EDU,DC=BR memberOf: CN=Rede,OU=Funcionarios,OU=Usuarios,DC=FEINET,DC=FEI,DC=EDU,DC=BR memberOf: CN=Domain Admins,CN=Users,DC=FEINET,DC=FEI,DC=EDU,DC=BR name: lbotelho sAMAccountName: lbotelho I got these results through ldapsearch command. But when I try to run squid_ldap_group, I received an ERR. Here is the syntax: ./squid_ldap_group -d -P -b "dc=feinet,dc=fei,dc=edu,dc=br" -v 3 -D "cn=proxy_user,ou=funcionarios,ou=usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -f"(&(uid=%v)(member=%g))" -h 172.16.0.13 After the command above, I entered with lbotelho Rede And the result is Connected OK group filter '(&(uid=lbotelho)(member=Rede))', searchbase 'dc=feinet,dc=fei,dc=edu,dc=br' ERR I tried a lot of other informations (searching in www.squid-cache.org), but it didn't work. To sum up, I know that I'm doing something wrong, but I don't know how to solve this. If someone have something that can help, it would be very nice. Thanks a lot! Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 "The great secret of life is to spend it in something that endures more than itself" "In the box was written: Windows NT, 2000 or better. So I installed Linux" "Knowing is not enough, we must apply. Willing is not enough, we must do."
Re: [squid-users] Need help
Hi friends Try "Webmin" http://freshmeat.net/projects/webmin/ You can manage a lot o things through a graphic console. Hope it helps. Regards, ____ Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 "The great secret of life is to spend it in something that endures more than itself" "In the box was written: Windows NT, 2000 or better. So I installed Linux" "Knowing is not enough, we must apply. Willing is not enough, we must do." - Original Message - From: "Adrian Chadd" <[EMAIL PROTECTED]> To: "piyush joshi" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, March 05, 2008 8:37 AM Subject: Re: [squid-users] Need help There's no (one) piece of software that does this yet. A combination of various bits of free software can do all of this. Adrian On Wed, Mar 05, 2008, piyush joshi wrote: Dear All, Can anyone suggest me any free software to monitor squid which will show all information like CPU usage, Memory Usage, No of hite, IP address where from request is coming top users, Top sites, Top Bandwith . Please reply to me i will be grateful to you .. -- Regards Piyush Joshi 9415414376 -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] FW: How to improve integratin of LDAP authentication
Hi Peter We have this configuration here in my job. My workstations doesn't ask for login and password because they are integrated in the domain. Only the workstations that doesn't belong to the domain ask for user/password. The question is: is your workstation connected to the domain? Have you configured SAMBA in your Linux Server? Regards! Luis Claudio Botelho Brazil - Original Message - From: "Jevos, Peter" <[EMAIL PROTECTED]> To: Sent: Wednesday, June 11, 2008 8:39 AM Subject: [squid-users] FW: How to improve integratin of LDAP authentication Hi, I'd like to ask you one question. I have ldap authentication against AD that works perfectly. My config is: auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b "dc=x, dc=x" -D "cn=x,ou=x,ou=x,dc=x,dc=x,dc=x" -w "x" -f sAMAccountName=%s -h 10.0.0.1 -p 3268 When I run it login window apperas to insert login credentials. And that's fine and it works. My question is: Is it possible to hand over this credentials from MS Windows login credentials automatically ( like domainname\user ) ? The reason is to avoid the interuption with login window. So probably squid should be somehow dig out this credentials from the system Is it actually possible ? Thx pet
Re: [squid-users] FW: How to improve integratin of LDAP authentication
Hi Peter again! I have these two scenarios here: machines conected at the domain, and the personal notebooks (from students and teachers - I work at an university). The students gain access through wireless - but they have to authenticate. On the other side, our machines doesn't need to authenticate to access the Internet - the logon credential is accepted for Squid. It's totally transparent to the user. All the access are registered in the Squid logs - date/time/username/site... And the only way we found to do this was integrating the Linux Server with SAMBA. We have 1.500 workstations, and this is the only way to register user access. Hope it helps Regards! Luis - Brazil - Original Message - From: "Jevos, Peter" <[EMAIL PROTECTED]> To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes" <[EMAIL PROTECTED]>; Sent: Wednesday, June 11, 2008 9:23 AM Subject: RE: [squid-users] FW: How to improve integratin of LDAP authentication -----Original Message----- From: Luis Claudio Botelho - Chefe de Tecnologia e Redes [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2008 2:20 PM To: Jevos, Peter; squid-users@squid-cache.org Subject: Re: [squid-users] FW: How to improve integratin of LDAP authentication Hi Peter We have this configuration here in my job. My workstations doesn't ask for login and password because they are integrated in the domain. Only the workstations that doesn't belong to the domain ask for user/password. The question is: is your workstation connected to the domain? Have you configured SAMBA in your Linux Server? Regards! Luis Claudio Botelho Brazil Thanks for your answer Luis Of coursse our stations are connected into the domain. I'm not using samba yet ( but it'spossible ) But all i'd like ot know is a brief principle how it works ( or brief howto ) Thx pet Hi, I'd like to ask you one question. I have ldap authentication against AD that works perfectly. My config is: auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b "dc=x, dc=x" -D "cn=x,ou=x,ou=x,dc=x,dc=x,dc=x" -w "x" -f sAMAccountName=%s -h 10.0.0.1 -p 3268 When I run it login window apperas to insert login credentials. And that's fine and it works. My question is: Is it possible to hand over this credentials from MS Windows login credentials automatically ( like domainname\user ) ? The reason is to avoid the interuption with login window. So probably squid should be somehow dig out this credentials from the system Is it actually possible ? Thx pet
