RE: [squid-users] Transparent LDAP authentication

> > I have an OpenSuse 10.2 box that runs Samba / OpenLDAP as a PDC, as
> > well as Squid with delay pools to limit bandwidth dependant upon
> > user, group, time of day and machine. I have managed to get
> > everything working and authenticating correctly using smb_ldap_auth
> > and smb_ldap_group. However, I would like to get the clients to
> > authenticate transparently using the domain credentials from the
> > initial domain logon, and not having to re-authenticate every time they open the browser.
> >
> > The clients (mostly XP with a few FreeNX terminals on various Linux
> > flavours) are all set up to use the proxy, and then iptables rules
> > blocking users from bypassing the proxy, so I am not transparently
> > intercepting web traffic, as I understand that authentication cannot
> > be used with a transparent proxy.
> >
> > Is single sign-on a possibility without using an M$ PDC? All the
> > searching seems to point to using ntlm_auth for this sort of thing.
> > PS: I have tried using ntlm_auth to authenticate against the Samba server...
> > the users are able to authenticate correctly, but still need to
> > re-enter their credentials every time they open their browsers.
>
> Samba should be more than adequate in filling in the PDC role
> in this scenario. Can you paste the relevant sections of yoru
> squid conf?
>
>
> --
> /kinkie

Thanks for the quick reply. My squid.conf in part is as follows:

auth_param basic program /usr/sbin/squid_ldap_auth -b "ou=Users,dc=nsc" -f "uid=%s"
auth_param basic children 5
auth_param basic credentialsttl 1 hour
auth_param basic casesensitive on
external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -v3 -b "ou=Groups,dc=nsc" -f "(&(cn=%g)(memberuid=%u))"
localhost
acl localnet proxy_auth REQUIRED src 192.168.1.0/24
acl group_admin external ldap_group admin
acl group_domainAdmins external ldap_group "/etc/squid/groups_domainAdmins"

Philip
Received on Fri Mar 28 2008 - 15:43:39 MDT