[squid-users] ldap authentication with encrypted credentials

Sampei sampei02 at tiscali.it
Wed May 4 11:56:15 UTC 2016 

I'll explain better:
Squid is running on Debian 5 older server and every Windows (XP/7/10) 
client uses it to surf on web.
Clients are configured in outofdate Microsoft domain where Domain 
Controllers are based on Windows 2000 server.
So far I permit Internet access to clients by specify IP address of 
computers in squid.conf file but now I'd like to manage internet access 
by asking to user its AD credentials.
Now I'm not able to update systems so I have to schedule it upgrade for 
next year.

>>>Look into Negotiate/Kerberos authentication. You will need that for 
>>> the Win7 and Win10 clients anyway
For Windows 7/10 clients, the Basic authentication (Squid 2.7) with 
LDAP helper will not able to work ?
While Kerberos will work both with older clients and newer ones?




Il 02.05.2016 13:43 Amos Jeffries ha scritto:

> On 2/05/2016 6:39 p.m., Sampei wrote:
>
>> I'm going to configure Squid 2.7 Stable3 to authenticate clients
>> (Windows XP/7/10) in Active Directory environment (Windows 2000
>> server).
>
> You have my most sincere condolences.
>
> Squid-3.5 is available for Windows. see
> . At least
> you can update that component.
>
> That is assuming Squid is running on a Windows box at all. There is 
> no
> need for it to do so. You might find it better to run Squid on a
> non-Windows machine with Samba integration to the AD server. There 
> are
> socket limitations imposed by Windows that can make Squid peak 
> service
> x10 slower than on any other OS.
>
>> I used directive "auth_param basic program /usr/lib/squid/ldap_auth 
>> -v3
>> ..." but I read basic authentication is extremely weak and It 
>> transmits
>> user passwords as cleartext.
>
> Lets put it this way. Clear text password in Basic authentication is
> slightly more secure today than the encrypted NTLM implemented in 
> that
> Windows 2000 server you are using.
>
> (And neither one is a good choice unless the transport itself is
> encrypted, ie TLS / HTTPS).
>
>>> How can I transmit encrypted credentials
>>
>
> Microsoft AD LDAP interface requires Basic authentication with 
> cleartext
> passwords. It is a limit imposed by the Microsoft implementation of 
> AD.
> Nobody I'm aware of has ever been able to adequately explain why, but
> use of secure credentials was never implemented for their LDAP 
> interface.
>
> There are other AD interfaces than LDAP though, and they actually 
> allow
> more secure credentials to be used. Look into Negotiate/Kerberos
> authentication. You will need that for the Win7 and Win10 clients 
> anyway.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org [2]
> http://lists.squid-cache.org/listinfo/squid-users [3]


Links:
------
[1] http://wiki.squid-cache.org/KnowledgeBase/Windows#Squid-3.5
[2] mailto:squid-users at lists.squid-cache.org
[3] http://lists.squid-cache.org/listinfo/squid-users



Con Tutto Incluso Light navighi fino a 20 Mega senza limiti e chiami a 
0 cent/minuto verso tutti i fissi e i mobili in Italia a 19,95 euro/mese 
per sempre. In piu' ora l'attivazione e' Gratis! http://casa.tiscali.it/

More information about the squid-users mailing list