Henrik Nordstrom wrote:
> ons 2007-06-13 klockan 17:11 +0200 skrev Etienne Pretorius:
>
>> Hello List,
>>
>> I have a slight problem. I need to squid to authenticate against a samba
>> PDC with an LDAP backend. I would like it to do the Authentication
>> without the help of SAMBA and to get the password right out of the LDAP
>> server and unhash.
>>
>
> Should be doable, but you'll need to implement the hash function to
> compare the passwords.. unless Samba stores the plaintext password in
> their password backend.. (which I doubt..)
>
>
I am first trying to see if I can Authenticate via plain-text
compassions without the hashed implementation so
that I know that I am on the correct track.
>> Would this be the helper I am looking for (squid3):
>>
>> Usage: digest_pw_auth(LDAP_backend) -b basedn -f filter [options]
>> ldap_server_name
>>
>
> That helper is for the Digest authentication scheme. Requires either
> plain-text or Digest realm specific hashed passwords in the backend.
>
>
So I assume that I can use this helper to see if I can authenticate in a
plain-text way from the returned attribute value.
As the other helpers seems to expect "bind" privileges to the LDAP
server - something I am avoiding, in
my opinion a little privilege to any authentication scheme could lead to
an hack of some sort in the future.
>> And could someone please provide me with an example of its usage.... as
>> I am having no luck here testing it.
>>
>> [root@xxxxx:/usr/lib/squid3] ./digest_ldap_auth -R -b
>> "ou=People,dc=domain,dc=co,dc=za" -u "uid" -A sambaNTPassword -h
>> ldap_server
>> etiennep 83152D7BEBBCA0BF0E5E170005097A69
>> ERR
>>
>
> Are you really using 83152D7BEBBCA0BF0E5E170005097A69 as your password?
> Awfully long string to type..
>
> Also please note that using the -A option retreives that attribute from
> the LDAP in order to compare with the supplied password. To use this the
> user squid_ldap_auth binds as must have read access on the attribute.
> Any password related attributes usually has very strict access controls
> in most LDAP servers..
>
>
Yes, I was trying to do a plain-text by entering my hashed password
myself to see if it worked.
> What do your user object look like in the LDAP tree?
>
> Regards
> Henrik
>
[root@apollo:~] ldapsearch -b
"uid=etiennep,ou=People,dc=domain,dc=co,dc=za" -x
# extended LDIF
#
# LDAPv3
# base <uid=etiennep,ou=People,dc=domain,dc=co,dc=za> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# etiennep, People, domain.co.za
dn: uid=etiennep,ou=People,dc=domain,dc=co,dc=za
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
sambaHomeDrive: X:
sambaDomainName: CPT-OFFICE
sambaAcctFlags: [XU ]
displayName: etiennep
sambaHomePath: \\APOLLO\users\etiennep
sambaProfilePath: \\APOLLO\profiles\etiennep
sambaLMPassword: 3E156727B5CBF95B25AD3B83FA6627C7
sambaNTPassword: 83152D7BEBBCA0BF0E5E170005097A69
sambaPwdLastSet: 1176375582
shadowWarning: 10
shadowInactive: 10
shadowMin: 1
shadowMax: 365
homeDirectory: /home/etiennep
loginShell: /bin/false
uid: etiennep
cn: Etienne Pretorius
uidNumber: 2005
sn: Pretorius
givenName: Etienne
title: Network Administrator
employeeType: Employee
sambaSID: S-1-5-21-3139382641-418891753-366912486-5010
sambaPrimaryGroupSID: S-1-5-21-3139382641-418891753-366912486-513
gidNumber: 513
manager:
As you can see I am able to do a anonymous bind and query the entry
directly. I get the value for the attribute, but am I entering it
correctly in the helper? There is so little documentation on how to
debug these issues....
Thank you,
Etienne Pretorius
Received on Thu Jun 14 2007 - 04:00:28 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT