# Squid + openLDAP with hashed password?[SOLVED by workaround]

## mocsokmike

I am experimenting with Squid using my openLDAP as authentication backend.

I made it working, but I don't like using the LDAP bind password in cleartext, but all my other attempts failed. It seems only cleartext password can be used...

Here is what I tried:

I created a hashed password file in /etc/squid/ldap.secret using this command:

```
slappasswd -n > /etc/squid/ldap.secret
```

I tried to authenticate myself via command line, using this command:

```
/usr/libexec/squid/basic_ldap_auth -v 3 -b "ou=Users,dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W "/etc/squid/ldap.secret" -f uid=%s -h LDAP_IP
```

(I used the proper DN and IP of course)

The result was:

```
basic_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'

ERR Success
```

When I use this command:

```
/usr/libexec/squid/basic_ldap_auth -v 3 -b "ou=Users,dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -w LDAP_PW -f uid=%s -h LDAP_IP
```

(Where LDAP_PW is my LDAP password in cleartext)

...Then the result is:

```
OK
```

I have the same result when I create a cleartext passwordfile using this command:

```
slappasswd -h {CLEARTEXT} -n > /etc/squid/ldap.secret
```

I have tried SSHA, SHA, MD5 and CRYPT as well. Is it possible to store a hashed password in the passwordfile at all? A cleartext passwordfile isn't really better than writing the password directly to squid.conf...

Versions and USE flags:

```
net-nds/openldap-2.4.38-r2  USE="berkdb crypt ssl syslog tcpd -cxx -debug -experimental -gnutls -icu -iodbc -ipv6 -kerberos -minimal -odbc -overlays -perl -samba -sasl (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) (-32) (-x32)"

net-proxy/squid-3.5.1  USE="htcp ldap pam ssl ssl-crtd wccp wccpv2 -caps -ecap -esi (-ipf-transparent) -ipv6 -kerberos (-kqueue) -logrotate -mysql -nis (-pf-transparent) -postgres -qos -radius -samba -sasl (-selinux) -snmp -sqlite {-test} -tproxy"
```

----------

## massimo

I've never done this myself but could this work? http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication

----------

## mocsokmike

Yes, I tried this too. It also works only if my password is in cleartext.

The howto you linked has the following lines to create and "protect" the passwordfile:

```
echo "digestpass" > /etc/digestreader_cred

chown proxy:proxy /etc/digestreader_cred

chmod 440 /etc/digestreader_cred
```

 :Sad: 

----------

## mocsokmike

In case someone else will try to accomplish what I tried here, this is my workaround:

1. Install pam_ldap and nss_ldap.

2. Configure PAM to authenticate against your LDAP.

3. Use basic_pam_auth with squid to authenticate your users.

pal_ldap can handle a hashed passwordfile.

----------

