Re: [squid-users] NTLM Auth for workstation not users

From: Rolf Loudon <rolf_at_ses.tas.gov.au>
Date: Fri, 5 Dec 2008 12:56:07 +1100

Hello

We do authentication by user and by workstation. Our business rules
dictate a scenario like yours, where certain users gets access
excepting certain workstations where any user is able to gain access,
and several variations.

In Active Directory we have user groups and workstation groups. We
keep them in separate groups as mixing types of objects in the one
group is apparently not recommended.

For user auth its the usual helper setup querying AD via an LDAP look
up supplying user/pass and group membership.

For workstation auth we wrote a simple short shell script that takes
%SRC as an input and then uses dig to work out the name via a reverse
lookup (the script actually does a bit more checking in case multiple
answers are returned and having to determine - by a forward lookup -
which name is the correct one for the address supplied).

The output of that script produces a computer name which we use as the
input to squid_ldap_group along with the name of the relevant
workstation group. The output of that helper query then tells us
whether the computer is in a certain group and thus we can accept/deny
or combine with other values such as a user's membership of some other
group and so on.

Works fine with the notable requirement that dns lookups must be
current and in-addr.arpa zones are setup and consistent.

regards

r.

> Razvan Grigore wrote:
>>> What you are looking for is winbind helper. It runs as an external
>>> ACL.
>>> Any other approach will also need to run an external ACL, so the
>>> answer to
>>> your seconds question is yes and the example is winbind.
>>>
>>>
>> The winbind helper is declared like this:
>> external_acl_type ad_group children=3 ttl=120 %LOGIN
>> /usr/lib/squid/wbinfo_group.pl
>> I pass to it only the username. What I want is allow ANY username
>> (even if it's not member of Internet AD group) who is logged on a
>> computer member of this Internet group. I guess i have to pass the
>> %SRC variable to a external helper and user nmblookup to get the
>> computer name and then i'm stuck.
>> Any ideas?
>> Razvan
>
> You appear not to understand the real concepts behind authentication
> and authorization....
>
> You can authenticate a username/password pair, regardless of
> location. (standard login)
>
> THEN you can use the username/password to retrieve and verify a
> particular group for the username/password (winbind group external
> ACL).
>
> THEN you can also verify a location with one of the username/
> password or username/password/group tuplets.
>
> You cannot use AD _user_ groups to assign a group membership to a
> _location_ while ignoring username.
>
>
> For the setup you are now describing the secure way to do it is to
> ignore username completely and use the location (source IP) in an
> ACL. As has been mentioned several times already.
>
> You can _additional_ to that, to force users to login correctly
> (anyone with valid username/password pair) before the external ACL
> gets run. But even then the external ACL MUST ignore the login
> details it gets.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
> Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1

This message may contain confidential information which is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or copy this email.
Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system.
Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
 in the contents of this message which arise as a result of email transmission.
If verification is required please request a hard copy version.
Received on Fri Dec 05 2008 - 01:56:18 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 08 2008 - 12:00:02 MST