We do get to use SSL because we are in acceleration mode, as your linked message points out. A recent post suggested stunnel, but when I read more into that it looked like something that had to be set up on all the client pc's. Henrik's suggestion is a good one. We are implimenting squid to replace an expensive software package with yearly fees associated with it. I scoured this list, the web, got a fairly good understanding of what was going on with squid but still couldn't complete our configuration. We payed $1000 US for some assistance and are still way ahead of the game. We now have an authenication issue, and need something that squid doesn't do out of the box. The consultant we are working with says others have shown an interest in this too, that what we want to do stands a good chance of being useful enough to be added to squid3. For the 8-16hrs worth of work quoted to us the price is right and it benefits all. I work for a good sized company, so getting the OK for things like this isn't that hard. It depends on your company's willingness to spend a little money for security, but you may find the price is fairly cheap to get digest working for you. Of course it might be $100,000 too but you won't know until you ask:)
To answer your question, in our case the client connects to squid via ssl (accelerated mode). Squid uses BA to LDAP and then proxies to the origin back end web servers. The only way the passwords could be obtained is hacking into the ldap directory or putting a sniffer on the network segment that is in the server room. Chris Perreault -----Original Message----- From: Ronny Haryanto [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 9:28 PM To: [EMAIL PROTECTED] Subject: [squid-users] digest auth and LDAP Hi all, So I found this post from Henrik Nordstrom: http://www.squid-cache.org/mail-archive/squid-users/200212/0005.html and I quote: "On what format is the passwords stored in your LDAP directory? Plain text or encrypted? If plain text then it is possible writing a secure channel between Squid and your LDAP server to allow Digest authentication to work. If the password is stored in your LDAP directory using SSHA or another strong hashing scheme then integration of Digest authentication is not mathematically possible." Basically I don't want the auth information (login+password) flying around in cleartext. So my options come down to using digest auth or SSL connection to proxy. But after reading the post above I don't think I can use digest auth because I don't want passwords to be stored (in LDAP) in cleartext either, and I don't know if there are any browsers out there that talks SSL to proxy for non-SSL proxied requests, even if there is one I don't think my users would be very happy if we force them to use just one particular brand of browser, but if there is any I'd like to know anyway. Is there any other alternative for secure auth? Any suggestions? Surely there must be some people here that are using LDAP auth, what do you do in this case? Do you just leave it cleartext? Thank you in advance for your time and attention. Ronny
