Re: [squid-users] question on digest_ldap_auth

From: Kinkie <gkinkie_at_gmail.com>
Date: Tue, 13 Jan 2009 17:41:40 +0100

On Tue, Jan 13, 2009 at 3:58 PM, Leonardo Rodrigues Magalhães
<leolistas_at_solutti.com.br> wrote:
>
> i'm actually running squid (2.7 stable4) with squid_ldap_auth for
> authenticating users in my MS Active Directory tree. I'm running:
>
> auth_param basic program /usr/bin/squid_ldap_auth -R -b
> "dc=XXXXXXX,dc=XXXXX" -D "cn=XXXXX,ou=Internet,dc=XXXXXX,dc=XXXXXXX"
> -w "XXXXXX" -f sAMAccountName=%s -h 192.168.0.8
>
>
> i was trying to change from basic authentication to digest one, so
> avoiding cleartext passwords to flow over network. but i'm not having
> success on that.
>
>
> can anyone share a working digest_ldap_auth syntax that is working to
> authenticate users in MS AD ???

I'm not really sure it's even possible: Microsoft KB
http://support.microsoft.com/kb/222028 says that in order for IIS to
be able to offer Digest authentication, passwords have to be stored in
AD using "reversible encryption", as Digest authentication uses
encryption mechanisms wich are not compatible with those used in AD.
I don't expect that AD would make plaintext-equivalent passwords
available over LDAP...

-- 
    /kinkie
Received on Tue Jan 13 2009 - 16:41:45 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 13 2009 - 12:00:03 MST