tor 2007-06-14 klockan 12:00 +0200 skrev Etienne Pretorius:
>
> So I assume that I can use this helper to see if I can authenticate in a
> plain-text way from the returned attribute value.
You might, IF the LDAP has the plain-text password stored, and
squid_digest_auth is allowed to retrieve this.
> As the other helpers seems to expect "bind" privileges to the LDAP
> server - something I am avoiding
squid_ldap_auth can operate in both modes.
> in
> my opinion a little privilege to any authentication scheme could lead to
> an hack of some sort in the future.
???
> Yes, I was trying to do a plain-text by entering my hashed password
> myself to see if it worked.
Then you should use squid_ldap_auth..
> [root@apollo:~] ldapsearch -b
> # etiennep, People, domain.co.za
> dn: uid=etiennep,ou=People,dc=domain,dc=co,dc=za
> objectClass: posixAccount
> sambaNTPassword: 83152D7BEBBCA0BF0E5E170005097A69
Translates to
squid_ldap_auth -b "ou=People,dc=domain,dc=co,dc=za" -u "uid" -U
sambaNTPassword -h ldap_server
if you want squid_ldap_auth to compare the password to the
sambaNTPassword attribute.
> As you can see I am able to do a anonymous bind and query the entry
> directly. I get the value for the attribute, but am I entering it
> correctly in the helper?
Not for the Digest auth helper. But it's correct for the Basic auth
helper.
> There is so little documentation on how to
> debug these issues....
squid_ldap_auth has a debug flag, making it tell you a bit of what it's
doing and how..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT