[squid-users] Re: Re: SSO with Active Directory-Squid Clients

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 6 Apr 2010 20:14:32 +0100

Hi Bilal,

It is a bit more complicated. it is not a pure Kerberos authentication but
a Negotiate/Kerberos authentication.

If you have a Windows client and the proxy send WWW-Proxy-Authorize:
Negotiate the Windows client will try first to get a Kerberos ticket and if
that succeeds sends a Negotiate response with a Kerberos token to the proxy.
If the Windows client fails to get a Kerberos ticket the client will send a
Negotiate response with a NTLM token to the proxy. Unfortunately there is
yet no squid helper which can handle both a Negotiate/Kerberos response and
a Negotiate/NTLM response (although maybe the samba ntlm helper can). So
there is a fallback when you use Negotiate, but it has some caveats.

Regarding your second point I can not really judge which one is better I
think it will depend on your environment.

Regards
Markus

"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w101CBED44254F957CDA154B9180_at_phx.gbl...

Dear Markus,

Please i have few confusions which i want to satisfy.

1. If kerberos Authentication fails then what would be the fallback behavior
would the Basic authentication to Ldap will be used instead? Does it need to
be defined? what is the best strategy as Basic Authentication will be in
clear text. In microsoft Environment the fallback is to NTLM authentication
if kerberos fails isnt it a better strategy.

2. Isnt it better to use the combinition of kerberos/ldap only for SSO with
active directory? Why winbind/Samba is referred in many tutorials while to
me it look redundant? does it give any additional benefit or is it more
stable? can u please enlighten me.

regards,
Bilal

----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Sat, 3 Apr 2010 13:34:15 +0100
> Subject: [squid-users] Re: SSO with Active Directory-Squid Clients
>
> Have a look at
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and
> http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download
>
> Regards
> Markus
>
> "GIGO ." wrote in message
> news:SNT134-w171836624CE7937AD90D3EB91B0_at_phx.gbl...
>
> Dear All/Amos,
>
> I want to allow certain(not all) Active Directory users to use squid by
> way
> of SSO with Active Directory. So means when any one from those specific
> users will login into Active Directory they should have automatically
> access
> to internet via Squid Proxy. Other AD users which have not permissions
> granted in Squid will be disallowed. Is it possible? How please guide in
> detail.
>
>
> This was my assumption of how it would be done:
>
> I needed to compile squid with these additional
> options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm"
> --enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth"
> Right??
>
>
> I need to configure krb5.conf to point to AD as Default_realm on CENTOS
> 5.4
> to right?
>
>
> I think that i must need to make Centos 5.4 member of the domain? Am i
> right
> or its not necessary
>
>
> How these specific AD users(with internet access allowed) will be
> told/mentioned to the squid?
>
>
>
> I have also studied your article
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print
>
> However this is allowing all(not specific) Active Directory or LDAP users
> internet access. This logic is just checking the validity of user account
> with Active directory by popping up a login/password and if succeeded
> network access is granted. Am i right?
>
>
>
> Bottom line is that i am completely lost and have not much idea what and
> how
> to do it. We previously are using Microsoft ISA server and are about to
> move
> to Squid and this requirement is very necessary.
>
>
> regards,
>
> Bilal Aslam
>
>
>
>
>
>
>
>
>
>
> _________________________________________________________________
> Hotmail: Free, trusted and rich email service.
> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
Received on Tue Apr 06 2010 - 19:20:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 07 2010 - 12:00:03 MDT