Re: [squid-users] Digest Authentication in Squid through LDAP in Windows 2003 DC

Hi Amos Jeffries,
Thank you for your cooperation..

So I used one of the links you sent to me. And I configured in shell scripts
the tests, and it's ok.
But when I put into squid.conf, I can't authenticate. I tried but it still
asking me for a user and password in the web browser.

These are my lines in squid.conf:
==============================================
auth_param digest realm squid-valencia
auth_param digest children 5
auth_param digest program /usr/lib/squid/digest_ldap_auth -b
"ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -u "cn" -A
"l" -D
"cn=Proxy_User,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w
"123456" -e -v 3 -h 172.16.0.13 -d
==============================================

I think that its right. And I don't know if my problem is now in another
line:

==============================================
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b
"dc=feinet,dc=fei,dc=edu,dc=br" -D
"cn=proxy_user,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br" -w
"123456" -f
"(&(objectclass=person)(memberof=cn=%a,ou=Funcionarios,ou=Usuarios,dc=feinet,dc=fei,dc=edu,dc=br))"
 -h 172.16.0.13
==============================================

This external_acl_type works fine with basic, and I'm not sure that it's the
right way to use external_acl_type with digest authentication.

If you could help me once again, it would be very nice.

Thank you again!

Regards,

Luis - FEI - Brazil

----- Original Message -----
From: "Amos Jeffries" <squid3@treenet.co.nz>
To: "Luis Claudio Botelho - Chefe de Tecnologia e Redes"
<lbotelho@fei.edu.br>
Cc: <squid-users@squid-cache.org>
Sent: Monday, February 18, 2008 8:26 PM
Subject: Re: [squid-users] Digest Authentication in Squid through LDAP in
Windows 2003 DC

>> Hi,
>>
>> Please, I need some help about Digest Authentication.
>> We made a new server in our enterprise, using "Fedora 7" (64 bits).
>> We have Squid 3, installed, and we need to authenticate our users in one
>> of
>> the DC's (Windows 2003 Server DC).
>> The problem:
>> We started configuring Squid with basic authentication; it worked fine,
>> but
>> we got the user's password through "Ethereal Software". This is a problem
>> here, because we have a lot of students and teachers that we need to
>> guarantee security to them and against them.
>> So we tried "digest authentication", and our problem started. Our tests
>> failed, and we didn't find any documentation about how to implement
>> "digest_ldap_auth" to check the username and password.
>> We don't know if our idea about digest authentication is right or wrong.
>> We
>> imagine that we can simply authenticate in "Windows 2003 Server DC" (as
>> basic authentication does), without store the user's passord into the
>> Linux
>> Server. Is that possible? If yes, where can I find instructions about how
>> to
>> use it?
>> If you can help us about this, and even if our idea about digest
>> authentication between Squid and Windows 2003 Server is wrong, it would
>> be
>> very nice.
>> I would like to thank you for your time, and sorry for any inconvenience.
>>
>> Regards,
>>
>
> There is a help how-to in the wiki
> http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper
>
> There are also some other auth mechanisms that may beuseful to you:
>
> http://wiki.squid-cache.org/NegotiateAuthentication
>
> http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
>
> Amos
>
>
Received on Tue Feb 19 2008 - 10:50:43 MST