[squid-users] ldap authentication with encrypted credentials

Amos Jeffries squid3 at treenet.co.nz
Mon May 2 11:43:41 UTC 2016


On 2/05/2016 6:39 p.m., Sampei wrote:
>   I'm going to configure Squid 2.7 Stable3 to authenticate clients
> (Windows XP/7/10) in Active Directory environment (Windows 2000 server).

You have my most sincere condolences.

Squid-3.5 is available for Windows. see
<http://wiki.squid-cache.org/KnowledgeBase/Windows#Squid-3.5>. At least
you can update that component.

That is assuming Squid is running on a Windows box at all. There is no
need for it to do so. You might find it better to run Squid on a
non-Windows machine with Samba integration to the AD server. There are
socket limitations imposed by Windows that can make Squid peak service
x10 slower than on any other OS.


> 
> I used directive "auth_param basic program /usr/lib/squid/ldap_auth -v3
> ..." but I read basic authentication is extremely weak and It transmits
> user passwords as cleartext.

Lets put it this way. Clear text password in Basic authentication is
slightly more secure today than the encrypted NTLM implemented in that
Windows 2000 server you are using.

(And neither one is a good choice unless the transport itself is
encrypted, ie TLS / HTTPS).


> How can I transmit encrypted credentials? 
> 

Microsoft AD LDAP interface requires Basic authentication with cleartext
passwords. It is a limit imposed by the Microsoft implementation of AD.
Nobody I'm aware of has ever been able to adequately explain why, but
use of secure credentials was never implemented for their LDAP interface.

There are other AD interfaces than LDAP though, and they actually allow
more secure credentials to be used. Look into Negotiate/Kerberos
authentication. You will need that for the Win7 and Win10 clients anyway.

Amos



More information about the squid-users mailing list