Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Squid + openLDAP with hashed password?[SOLVED by workaround]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Mon Feb 02, 2015 10:23 am    Post subject: Squid + openLDAP with hashed password?[SOLVED by workaround] Reply with quote

I am experimenting with Squid using my openLDAP as authentication backend.
I made it working, but I don't like using the LDAP bind password in cleartext, but all my other attempts failed. It seems only cleartext password can be used...

Here is what I tried:
I created a hashed password file in /etc/squid/ldap.secret using this command:
Code:
slappasswd -n > /etc/squid/ldap.secret

I tried to authenticate myself via command line, using this command:
Code:
/usr/libexec/squid/basic_ldap_auth -v 3 -b "ou=Users,dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W "/etc/squid/ldap.secret" -f uid=%s -h LDAP_IP

(I used the proper DN and IP of course)
The result was:
Code:
basic_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
ERR Success

When I use this command:
Code:
/usr/libexec/squid/basic_ldap_auth -v 3 -b "ou=Users,dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -w LDAP_PW -f uid=%s -h LDAP_IP

(Where LDAP_PW is my LDAP password in cleartext)
...Then the result is:
Code:
OK

I have the same result when I create a cleartext passwordfile using this command:
Code:
slappasswd -h {CLEARTEXT} -n > /etc/squid/ldap.secret


I have tried SSHA, SHA, MD5 and CRYPT as well. Is it possible to store a hashed password in the passwordfile at all? A cleartext passwordfile isn't really better than writing the password directly to squid.conf...

Versions and USE flags:
Code:
net-nds/openldap-2.4.38-r2  USE="berkdb crypt ssl syslog tcpd -cxx -debug -experimental -gnutls -icu -iodbc -ipv6 -kerberos -minimal -odbc -overlays -perl -samba -sasl (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) (-32) (-x32)"
net-proxy/squid-3.5.1  USE="htcp ldap pam ssl ssl-crtd wccp wccpv2 -caps -ecap -esi (-ipf-transparent) -ipv6 -kerberos (-kqueue) -logrotate -mysql -nis (-pf-transparent) -postgres -qos -radius -samba -sasl (-selinux) -snmp -sqlite {-test} -tproxy"

_________________
format c:
emerge system


Last edited by mocsokmike on Fri Feb 13, 2015 10:11 am; edited 1 time in total
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Tue Feb 03, 2015 12:34 pm    Post subject: Reply with quote

I've never done this myself but could this work? http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Wed Feb 04, 2015 2:54 pm    Post subject: Reply with quote

Yes, I tried this too. It also works only if my password is in cleartext.
The howto you linked has the following lines to create and "protect" the passwordfile:
Code:
echo "digestpass" > /etc/digestreader_cred
chown proxy:proxy /etc/digestreader_cred
chmod 440 /etc/digestreader_cred

:(
_________________
format c:
emerge system
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 116
Location: Budapest, Hungary

PostPosted: Fri Feb 13, 2015 10:10 am    Post subject: Reply with quote

In case someone else will try to accomplish what I tried here, this is my workaround:

1. Install pam_ldap and nss_ldap.
2. Configure PAM to authenticate against your LDAP.
3. Use basic_pam_auth with squid to authenticate your users.

pal_ldap can handle a hashed passwordfile.
_________________
format c:
emerge system
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum