GIGO . wrote:
Authorizing users via LDAP group:
It is listed in the squid_ldap_group man page that using -D binddn -W
secret fle is to be preferred on -D binddn -w password. While it
provides extra security then printing the password in plaintext
inside squid.conf. Doesnt this query itself go in clear text over the
network? If this is a risk how to handle this situation?
The reasoning goes that if the squid.conf gets compromised, then the
password itself is secured in a sub-file which hopefully is harder to
compromise.
It's very easy to compromise any content of squid.conf; the squid.conf
may be posted here or elsewhere wen asking for help, or the cachemgr
password which allows access to a full squid.conf dump may be compromised.
Using the -W option means that the secret file is only read internally
to the helper and used in the post-connection LDAP binding. It's up to
you whether you configure the LDAP helper to use TLS and secure the wire
or not.
2. Or perform this query over TLS? and how it can be done?
See the helper man page you already found for the relevant command line
arguments. The server portion someone else will need to help with.
3. Allowing anonymous queries can also be configured in Active
directory however it does not look appropriate. May be it has no
issues in the total private setup!
Thats a problem you need to decide on. I agree it does look suspect to
choose that if you want security.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.1