[squid-users] Testing Kerberos and LDAP connections

dolson at ihcrc.org dolson at ihcrc.org
Wed Jan 13 17:11:13 UTC 2016 

If I remove the NTLM and Kerberos authentication, is there a way to test the basic LDAP authentication in the script from the command line?

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Wednesday, January 13, 2016 11:05 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Testing Kerberos and LDAP connections

On 14/01/2016 4:36 a.m., dolson at ihcrc.org wrote:
> Is there a way to test the following lines from my squid.conf file to make sure the connections are working correctly?
> 
> ### negotiate kerberos and ntlm authentication auth_param negotiate 
> program /usr/local/bin/negotiate_wrapper -d --ntlm 
> /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos 
> /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param 
> negotiate children 10 auth_param negotiate keep_alive off
> 
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC auth_param ntlm 
> children 10 auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not 
> authenticated via kerberos/ntlm auth_param basic program 
> /usr/lib/squid3/basic_ldap_auth -R -b "dc=ihcrc,dc=org" -D 
> squid at ihcrc.org -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h 
> srv-dataserver2.ihcrc.org auth_param basic children 10 auth_param 
> basic realm Internet Proxy auth_param basic credentialsttl 1 minute
> 
> When I run them at the command lines, minus the statements from Children down, I just get a huge print out of some man pages.  I'm trying to identify why I can't get AD authentication to work correctly on my Squid server, so I'm trying to test each area of the squid.conf file independently.
> 

They do not work. The --* parameters you are passing to ntlm_smb_lm_auth are actually parameters for the Samba ntlm_auth helper. If you need NTLM then you should install that Samba helper and use it instead.


FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan authentication. Thats a form of auth for Microsoft Network (circa
1970-1980's) with terrible encryption.
SMB LM crypto is so weak/bad that the Squid helper is actually decrypting it in realtime to extract the user:password and translating them into Basic auth queries against your AD servers. Ironically Basic auth is more secure.
 *** Any software which works with this helper is *very* insecure.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list