Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote: Hi Amos Jeffries, Thank you for your cooperation.. So I used one of the links you sent to me. And I configured in shell scripts the tests, and it's ok. But when I put into squid.conf, I can't authenticate. I tried but it still asking me for a user and password in the web browser. These are my lines in squid.conf: == auth_param digest realm squid-valencia auth_param digest children 5 auth_param digest program /usr/lib/squid/digest_ldap_auth -b "ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A "l" -D "cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -e -v 3 -h 172.16.0.13 -d == I think that its right. And I don't know if my problem is now in another line: == external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=feinet,dc=fei,dc=edu,dc=br" -D "cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -f "(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))" -h 172.16.0.13 == This external_acl_type works fine with basic, and I'm not sure that it's the right way to use external_acl_type with digest authentication. If you could help me once again, it would be very nice. Sorry. I don't know LDAP myself. All I can do is post the links and hope they are helpful. Amos Thank you again! Regards, Luis - FEI - Brazil - Original Message - From: "Amos Jeffries" <[EMAIL PROTECTED]> To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes" <[EMAIL PROTECTED]> Cc: Sent: Monday, February 18, 2008 8:26 PM Subject: Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Regards, There is a help how-to in the wiki http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper There are also some other auth mechanisms that may beuseful to you: http://wiki.squid-cache.org/NegotiateAuthentication http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Hi Amos Jeffries, Thank you for your cooperation.. So I used one of the links you sent to me. And I configured in shell scripts the tests, and it's ok. But when I put into squid.conf, I can't authenticate. I tried but it still asking me for a user and password in the web browser. These are my lines in squid.conf: == auth_param digest realm squid-valencia auth_param digest children 5 auth_param digest program /usr/lib/squid/digest_ldap_auth -b "ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A "l" -D "cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -e -v 3 -h 172.16.0.13 -d == I think that its right. And I don't know if my problem is now in another line: == external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=feinet,dc=fei,dc=edu,dc=br" -D "cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w "123456" -f "(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))" -h 172.16.0.13 == This external_acl_type works fine with basic, and I'm not sure that it's the right way to use external_acl_type with digest authentication. If you could help me once again, it would be very nice. Thank you again! Regards, Luis - FEI - Brazil - Original Message - From: "Amos Jeffries" <[EMAIL PROTECTED]> To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes" <[EMAIL PROTECTED]> Cc: Sent: Monday, February 18, 2008 8:26 PM Subject: Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Regards, There is a help how-to in the wiki http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper There are also some other auth mechanisms that may beuseful to you: http://wiki.squid-cache.org/NegotiateAuthentication http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM Amos
Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
> Hi, > > Please, I need some help about Digest Authentication. > We made a new server in our enterprise, using "Fedora 7" (64 bits). > We have Squid 3, installed, and we need to authenticate our users in one > of > the DC's (Windows 2003 Server DC). > The problem: > We started configuring Squid with basic authentication; it worked fine, > but > we got the user's password through "Ethereal Software". This is a problem > here, because we have a lot of students and teachers that we need to > guarantee security to them and against them. > So we tried "digest authentication", and our problem started. Our tests > failed, and we didn't find any documentation about how to implement > "digest_ldap_auth" to check the username and password. > We don't know if our idea about digest authentication is right or wrong. > We > imagine that we can simply authenticate in "Windows 2003 Server DC" (as > basic authentication does), without store the user's passord into the > Linux > Server. Is that possible? If yes, where can I find instructions about how > to > use it? > If you can help us about this, and even if our idea about digest > authentication between Squid and Windows 2003 Server is wrong, it would be > very nice. > I would like to thank you for your time, and sorry for any inconvenience. > > Regards, > There is a help how-to in the wiki http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper There are also some other auth mechanisms that may beuseful to you: http://wiki.squid-cache.org/NegotiateAuthentication http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM Amos
Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Luis Claudio Botelho - Chefe de Tecnologia e Redes wrote: Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. Effectively you need to either store the Digest encrypted password, or the plain text password on the LDAP server. It's a fine solution if you use it from the start, but a bit of a pain to retrofit. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Given you have an Active Directory domain, you might be better served authenticating directly against it: http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM Fedora 7 should come with a nifty utility called "authconfig", which might eliminate much (but not all) of the text file fiddling that the example requires. Regards, Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 "The great secret of life is to spend it in something that endures more than itself" "In the box was written: Windows NT, 2000 or better. So I installed Linux" "Knowing is not enough, we must apply. Willing is not enough, we must do." As a disclaimer, I have not used NTLM authentication with Squid, but I have a CentOS 4 install that allows Cyrus-IMAPd to authenticate against ADS. Chris
[squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC
Hi, Please, I need some help about Digest Authentication. We made a new server in our enterprise, using "Fedora 7" (64 bits). We have Squid 3, installed, and we need to authenticate our users in one of the DC's (Windows 2003 Server DC). The problem: We started configuring Squid with basic authentication; it worked fine, but we got the user's password through "Ethereal Software". This is a problem here, because we have a lot of students and teachers that we need to guarantee security to them and against them. So we tried "digest authentication", and our problem started. Our tests failed, and we didn't find any documentation about how to implement "digest_ldap_auth" to check the username and password. We don't know if our idea about digest authentication is right or wrong. We imagine that we can simply authenticate in "Windows 2003 Server DC" (as basic authentication does), without store the user's passord into the Linux Server. Is that possible? If yes, where can I find instructions about how to use it? If you can help us about this, and even if our idea about digest authentication between Squid and Windows 2003 Server is wrong, it would be very nice. I would like to thank you for your time, and sorry for any inconvenience. Regards, Luis Claudio Botelho Chefe de Tecnologia e Redes Coordenadoria Geral de Informática Centro Universitário da FEI São Bernardo do Campo - SP 4353-2900 ramal 2117 "The great secret of life is to spend it in something that endures more than itself" "In the box was written: Windows NT, 2000 or better. So I installed Linux" "Knowing is not enough, we must apply. Willing is not enough, we must do."