Re: [squid-users] Authorization via LDAP group

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 12 Apr 2010 23:56:08 +1200

GIGO . wrote:
> Authorizing users via LDAP group:
>
>
> It is listed in the squid_ldap_group man page that using -D binddn -W
> secret fle is to be preferred on -D binddn -w password. While it
> provides extra security then printing the password in plaintext
> inside squid.conf. Doesnt this query itself go in clear text over the
> network? If this is a risk how to handle this situation?
>

The reasoning goes that if the squid.conf gets compromised, then the
password itself is secured in a sub-file which hopefully is harder to
compromise.

It's very easy to compromise any content of squid.conf; the squid.conf
may be posted here or elsewhere wen asking for help, or the cachemgr
password which allows access to a full squid.conf dump may be compromised.

Using the -W option means that the secret file is only read internally
to the helper and used in the post-connection LDAP binding. It's up to
you whether you configure the LDAP helper to use TLS and secure the wire
or not.

>
> 2. Or perform this query over TLS? and how it can be done?
>

See the helper man page you already found for the relevant command line
arguments. The server portion someone else will need to help with.

>
> 3. Allowing anonymous queries can also be configured in Active
> directory however it does not look appropriate. May be it has no
> issues in the total private setup!

Thats a problem you need to decide on. I agree it does look suspect to
choose that if you want security.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Mon Apr 12 2010 - 11:56:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 12 2010 - 12:00:04 MDT