[squid-users] ldap authentication with encrypted credentials

Amos Jeffries squid3 at treenet.co.nz
Wed May 4 12:23:03 UTC 2016


On 4/05/2016 11:56 p.m., Sampei wrote:
> I'll explain better:
> Squid is running on Debian 5 older server and every Windows (XP/7/10)
> client uses it to surf on web.
> Clients are configured in outofdate Microsoft domain where Domain
> Controllers are based on Windows 2000 server.
> So far I permit Internet access to clients by specify IP address of
> computers in squid.conf file but now I'd like to manage internet access
> by asking to user its AD credentials.
> Now I'm not able to update systems so I have to schedule it upgrade for
> next year.

I've been in those shoes myself, and recommed you may want to keep the
IP based authorization until you can get a better AD system.

> 
>>>> Look into Negotiate/Kerberos authentication. You will need that for
>>>> the Win7 and Win10 clients anyway
> For Windows 7/10 clients, the Basic authentication (Squid 2.7) with LDAP
> helper will not able to work ?
> While Kerberos will work both with older clients and newer ones?
> 

Yes they all still support Basic, but you said that was not desirable.

The secure methods that leaves you with are NTLMv2 (definitely *not*
NTLMv1) or Negotiate/Kerberos.

NTLM was deprecated by MS in 2006. All software produced by MS since
then is increasingly hostile to NTLM being used and preferring Kerberos.
XP can handle Kerberos with maybe a little config. And it is both more
secure and faster so a double-win once you get over the learning curve
for its management tools.

I'm not sure if or how the Win2k server can handle Kerberos. You will
need to find that out.

Amos



More information about the squid-users mailing list