Edward Valley via FreeIPA-users wrote:
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can someone point me in the right direction on how to accomplish it? Coding a new plugin? Extending an already existing one? Configuring something? I've made some research and it seems everybody integrating squid with FreeIPA is using kerberos, but that's something I'll be doing lather. Thank you very much.
Digest auth generally requires the password to be available in the clear (or reversible), try to avoid it. I think you'd have a hard time trying to configure IPA to allow it and you'd be climbing far out on a limb if you manage to succeed.
rob
On Mon, Mar 4, 2019 at 2:27 PM Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Edward Valley via FreeIPA-users wrote:
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can someone point me in the right direction on how to accomplish it? Coding a new plugin? Extending an already existing one? Configuring something? I've made some research and it seems everybody integrating squid with FreeIPA is using kerberos, but that's something I'll be doing lather. Thank you very much.
Digest auth generally requires the password to be available in the clear (or reversible), try to avoid it. I think you'd have a hard time trying to configure IPA to allow it and you'd be climbing far out on a limb if you manage to succeed.
rob
Also we have a page about squid+FreeIPA kerberos integration at: https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sig...
Please let us know if it does not provide what you need.
François
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org