On Tue, 24 Aug 2004, Jean-Michel Bonnefond wrote:
-Use of LDAPS is now supported in squid, starting from version 2.5 Stable5 which should resolv the encryption problem between squid and Active directory.
Correct. But this does not solve client->Squid.
-Using Digest authentication method between client and squid server couldn't be used simultaneously with another authentication scheme like Ldaps.
yes it can, but there is no other backend password databases for digest authentication than a local digest password file. digest authentication can not use the AD directory, not yet anyway.
-Using stunnel (or a similar programm) to encrypt traffic between client and squid and then use LDAPS auth method between squid and ADS. this implies to install a soft on all client which is not a really possible solution for me.
Another option is to use a client which is capable of SSL proxy connections. Reportedly the latest Mozilla versions is capable of this but I have not verified... checking.. can not find any sign of such support in Mozilla 1.7.2, at least not visibly.
-Using squid reverse proxy/Acceleration mode to encrypt all the traffic between client and squid server (including authentication) and then use mod_auth LDAP over a secure channel. I'm not sure this is possible ?! Can really squid run as cache server for all the web contents (indifferently http or https) and encrypt all the traffic between client and squid with SSL?
No.
-Henrik Nordstrom suggest that it might be possible to write a secure channel between Squid and an LDAPS server to allow Digest authentication to work, if the password are stored in cleartext in the ADS (or if at least there is a known copy of the clear password somewhere on the squid server), but I don't have any idea of how this can be implemented. Plus, I know that the password are encrypted in the society directory, which seem to hardness the task.
There is also a Digest interface to MS ADS but this is not very well documented and the little there is is in large parts conflicting. And in addition the Digest implementation in Squid is not well suited for connecting to other Digest providers in the way it seems most external Digest servers is done.
So any suggestion about how I can have an encrypted authentication traffic between client and squid and then use LDAPS to an ADS would be greatly appreciate :)
You could use NTLM via Samba-3 after joining the ADS tree.
Regards Henrik
