I have squid running on a gateway machine & I am trying to integrate it with Active Directory for authentication.
I am able to authentication by using ldap_auth & having this in squid.conf.
/usr/lib/squid/ldap_auth -b OU=my,DC=company,DC=com -h ldapserver -f sAMAccountName=%s -D "CN=myadmin,OU=Unrestricted Users,OU=my,DC=company,DC=com" -w mypwd
However, I am worried about the fact that I have the admin password in cleartext in squid.conf.
Is there a way that I can avoid this?
Squid is running on a debian machine.
You can
chmodsquid config file to be something like 600. So, it will be readable+writable only by the owner user such asproxyuser. But, you have to be sure to run squid process asproxyuser to be able to read the configuration file. This way only the system adminrootwill be able to read your squid config file.Please use the -W file option instead of the -w option. This will allow you to specify a file where the password is located. If you run squid as per your example and you do a ps -ax, you will see the -w password in the process viewer. Any user will be able to see the password.
Secure the file with the correct permisions, eg 400 and change the owner to the squid process user.
Secondly, you only need a user that can query Active directory, this user should not have admin rights.