Hi all, I would like to secure all the authentication traffic between the final client and an LDAP Active Directory server via squid.
After a lot of research in the list archive and other sources, it appear that (tell me if I'm wrong): -Use of LDAPS is now supported in squid, starting from version 2.5 Stable5 which should resolv the encryption problem between squid and Active directory. -Using Digest authentication method between client and squid server couldn't be used simultaneously with another authentication scheme like Ldaps. The solutions that has been proposed are : -Using stunnel (or a similar programm) to encrypt traffic between client and squid and then use LDAPS auth method between squid and ADS. this implies to install a soft on all client which is not a really possible solution for me. -Using squid reverse proxy/Acceleration mode to encrypt all the traffic between client and squid server (including authentication) and then use mod_auth LDAP over a secure channel. I'm not sure this is possible ?! Can really squid run as cache server for all the web contents (indifferently http or https) and encrypt all the traffic between client and squid with SSL? -Henrik Nordstrom suggest that it might be possible to write a secure channel between Squid and an LDAPS server to allow Digest authentication to work, if the password are stored in cleartext in the ADS (or if at least there is a known copy of the clear password somewhere on the squid server), but I don't have any idea of how this can be implemented. Plus, I know that the password are encrypted in the society directory, which seem to hardness the task. So any suggestion about how I can have an encrypted authentication traffic between client and squid and then use LDAPS to an ADS would be greatly appreciate :) Jean-Michel.
