On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:
Thanks Rob. Squid has a digest LDAP authentication helper. Adapting this
guide
(https://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication)
to FreeIPA, squid digest authentication works fine. I'm just looking for a
way to automate the process of generating digests every time users change
their passwords. Thanks again.I'd recommend you to switch to
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap instead.
This has a benefit that a password check is done by binding to LDAP
instead of trying to fetch hashes and compare. In other words, it moves
actual authentication check to the LDAP server and makes the whole
problem to disappear.Ed.
08:26, March 4, 2019, "Rob Crittenden via FreeIPA-users"
< [0;34;47m[1]freeipa-users@lists.fedorahosted.org [0;30;47m>:
Edward Valley via FreeIPA-users wrote:
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP
backend for user authentication. Everything works fine while using
basic
authentication. In order to use digest authentication I need users to
have an specific password storage scheme (MD5 of user:realm:password
combination). Can someone point me in the right direction on how to
accomplish it? Coding a new plugin? Extending an already existing
one?
Configuring something? I've made some research and it seems everybody
integrating squid with FreeIPA is using kerberos, but that's
something
I'll be doing lather. Thank you very much.
Digest auth generally requires the password to be available in the clear
(or reversible), try to avoid it. I think you'd have a hard time trying
to configure IPA to allow it and you'd be climbing far out on a limb if
you manage to succeed.
rob
_______________________________________________
FreeIPA-users mailing list -- [0;34;47m[2]freeipa-users@lists.fedorahosted.org
[0;30;47m To unsubscribe send an email to
[0;34;47m[3]freeipa-users-leave@lists.fedorahosted.org
[0;30;47m Fedora Code of Conduct: [0;34;47m[4]https://getfedora.org/code-of-conduct.html
[0;30;47m List Guidelines:
[0;34;47m[5]https://fedoraproject.org/wiki/Mailing_list_guidelines
[0;30;47m List Archives:
[0;34;47m[6]https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
References
Visible links
1. mailto:freeipa-users@lists.fedorahosted.org
2. mailto:freeipa-users@lists.fedorahosted.org
3. mailto:freeipa-users-leave@lists.fedorahosted.org
4. https://getfedora.org/code-of-conduct.html
5. https://fedoraproject.org/wiki/Mailing_list_guidelines
6. https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org