Re: [squid-users] ldap auth & Novell problem

From: Gerben Welter <gerben@dont-contact.us>
Date: Thu, 12 Sep 2002 23:32:10 +0200

At 19:40 9/12/2002 +0200, Henrik Nordstrom wrote:

>clnttrust is a method whereby the client IP will be authorized by the
>server, right?

No, not the ip, but the username is queried and checked in the nds, so acls
can be made based on user/container.

>Not really authentication in the normal sense I guess.

Well, in Novell's view it is. The user is logged in, thus authenticated. So
it's more of a single sign mechanism.

>One similar alternative you have as an option today without any
>programming is to install a ident service on your client stations. This
>will allow Squid to query who the logged on user is.
>
>The drawback is the weakness of the ident protocol. To have any form of
>trust in ident you must be able to trust the client workstations. If
>your users are hacker kind of users this obviously will not be the
>case..

I've tried that in a test environment and it works, but I do share your
concerns. If the user knows how to replace the ident program on the
workstation and knows what CN to return impersonate someone who has more
privileges, than this method isn't adequate enough.

But then again, clntrust.exe could also be hacked to return fake
identification. An extra check that could be performed (don't know if
clntrust.exe does that) is to check the NDS for the ip that user is
supposed to be coming from. If the user has authenticated itself using the
Novell Client32, then the ip stored in the NDS and the ip returning the
identification should match.

Gerben.
Received on Thu Sep 12 2002 - 15:32:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:18 MST