RE: [squid-users] Re: Re: SSO with Active Directory-Squid Clients

From: GIGO . <gigoz_at_msn.com>
Date: Wed, 7 Apr 2010 02:52:41 +0000

Dear Markus,
 
 
That cleared/explained a lot to me and given me direction for developing a better understanding of the whole concept. Thanks a lot.
 
 
 
regards,
 
Bilal
 
 

----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Tue, 6 Apr 2010 20:14:32 +0100
> Subject: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
>
> Hi Bilal,
>
> It is a bit more complicated. it is not a pure Kerberos authentication but
> a Negotiate/Kerberos authentication.
>
> If you have a Windows client and the proxy send WWW-Proxy-Authorize:
> Negotiate the Windows client will try first to get a Kerberos ticket and if
> that succeeds sends a Negotiate response with a Kerberos token to the proxy.
> If the Windows client fails to get a Kerberos ticket the client will send a
> Negotiate response with a NTLM token to the proxy. Unfortunately there is
> yet no squid helper which can handle both a Negotiate/Kerberos response and
> a Negotiate/NTLM response (although maybe the samba ntlm helper can). So
> there is a fallback when you use Negotiate, but it has some caveats.
>
> Regarding your second point I can not really judge which one is better I
> think it will depend on your environment.
>
> Regards
> Markus
>
> "GIGO ." wrote in message
> news:SNT134-w101CBED44254F957CDA154B9180_at_phx.gbl...
>
> Dear Markus,
>
> Please i have few confusions which i want to satisfy.
>
> 1. If kerberos Authentication fails then what would be the fallback behavior
> would the Basic authentication to Ldap will be used instead? Does it need to
> be defined? what is the best strategy as Basic Authentication will be in
> clear text. In microsoft Environment the fallback is to NTLM authentication
> if kerberos fails isnt it a better strategy.
>
>
>
> 2. Isnt it better to use the combinition of kerberos/ldap only for SSO with
> active directory? Why winbind/Samba is referred in many tutorials while to
> me it look redundant? does it give any additional benefit or is it more
> stable? can u please enlighten me.
>
>
>
>
> regards,
> Bilal
>
> ----------------------------------------
>> To: squid-users_at_squid-cache.org
>> From: huaraz_at_moeller.plus.com
>> Date: Sat, 3 Apr 2010 13:34:15 +0100
>> Subject: [squid-users] Re: SSO with Active Directory-Squid Clients
>>
>> Have a look at
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and
>> http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download
>>
>> Regards
>> Markus
>>
>> "GIGO ." wrote in message
>> news:SNT134-w171836624CE7937AD90D3EB91B0_at_phx.gbl...
>>
>> Dear All/Amos,
>>
>> I want to allow certain(not all) Active Directory users to use squid by
>> way
>> of SSO with Active Directory. So means when any one from those specific
>> users will login into Active Directory they should have automatically
>> access
>> to internet via Squid Proxy. Other AD users which have not permissions
>> granted in Squid will be disallowed. Is it possible? How please guide in
>> detail.
>>
>>
>> This was my assumption of how it would be done:
>>
>> I needed to compile squid with these additional
>> options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm"
>> --enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth"
>> Right??
>>
>>
>> I need to configure krb5.conf to point to AD as Default_realm on CENTOS
>> 5.4
>> to right?
>>
>>
>> I think that i must need to make Centos 5.4 member of the domain? Am i
>> right
>> or its not necessary
>>
>>
>> How these specific AD users(with internet access allowed) will be
>> told/mentioned to the squid?
>>
>>
>>
>> I have also studied your article
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print
>>
>> However this is allowing all(not specific) Active Directory or LDAP users
>> internet access. This logic is just checking the validity of user account
>> with Active directory by popping up a login/password and if succeeded
>> network access is granted. Am i right?
>>
>>
>>
>> Bottom line is that i am completely lost and have not much idea what and
>> how
>> to do it. We previously are using Microsoft ISA server and are about to
>> move
>> to Squid and this requirement is very necessary.
>>
>>
>> regards,
>>
>> Bilal Aslam
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _________________________________________________________________
>> Hotmail: Free, trusted and rich email service.
>> https://signup.live.com/signup.aspx?id=60969
>>
>>
> _________________________________________________________________
> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
Received on Wed Apr 07 2010 - 02:52:49 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 07 2010 - 12:00:03 MDT