[squid-users] ldap authentication with encrypted credentials
Sampei
sampei02 at tiscali.it
Mon May 2 13:37:18 UTC 2016
Squid is running on old Linux fedora server
Il 02.05.2016 13:43 Amos Jeffries ha scritto:
> On 2/05/2016 6:39 p.m., Sampei wrote:
>> I'm going to configure Squid 2.7 Stable3 to authenticate clients
>> (Windows XP/7/10) in Active Directory environment (Windows 2000
>> server).
>
> You have my most sincere condolences.
>
> Squid-3.5 is available for Windows. see
> <http://wiki.squid-cache.org/KnowledgeBase/Windows#Squid-3.5>. At
> least
> you can update that component.
>
> That is assuming Squid is running on a Windows box at all. There is
> no
> need for it to do so. You might find it better to run Squid on a
> non-Windows machine with Samba integration to the AD server. There
> are
> socket limitations imposed by Windows that can make Squid peak
> service
> x10 slower than on any other OS.
>
>
>>
>> I used directive "auth_param basic program /usr/lib/squid/ldap_auth
>> -v3
>> ..." but I read basic authentication is extremely weak and It
>> transmits
>> user passwords as cleartext.
>
> Lets put it this way. Clear text password in Basic authentication is
> slightly more secure today than the encrypted NTLM implemented in
> that
> Windows 2000 server you are using.
>
> (And neither one is a good choice unless the transport itself is
> encrypted, ie TLS / HTTPS).
>
>
>> How can I transmit encrypted credentials?
>>
>
> Microsoft AD LDAP interface requires Basic authentication with
> cleartext
> passwords. It is a limit imposed by the Microsoft implementation of
> AD.
> Nobody I'm aware of has ever been able to adequately explain why, but
> use of secure credentials was never implemented for their LDAP
> interface.
>
> There are other AD interfaces than LDAP though, and they actually
> allow
> more secure credentials to be used. Look into Negotiate/Kerberos
> authentication. You will need that for the Win7 and Win10 clients
> anyway.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list