Re: [squid-users] Transparent LDAP authentication

From: Kinkie <gkinkie@dont-contact.us>
Date: Sat, 29 Mar 2008 15:22:16 +0100

On Fri, Mar 28, 2008 at 10:43 PM, Philip Kloppers
<philip@norwegian-settlers.co.za> wrote:
>
> > > I have an OpenSuse 10.2 box that runs Samba / OpenLDAP as a PDC, as
> > > well as Squid with delay pools to limit bandwidth dependant upon
> > > user, group, time of day and machine. I have managed to get
> > > everything working and authenticating correctly using smb_ldap_auth
> > > and smb_ldap_group. However, I would like to get the clients to
> > > authenticate transparently using the domain credentials from the
> > > initial domain logon, and not having to re-authenticate every time they open the browser.
> > >
> > > The clients (mostly XP with a few FreeNX terminals on various Linux
> > > flavours) are all set up to use the proxy, and then iptables rules
> > > blocking users from bypassing the proxy, so I am not transparently
> > > intercepting web traffic, as I understand that authentication cannot
> > > be used with a transparent proxy.
> > >
> > > Is single sign-on a possibility without using an M$ PDC? All the
> > > searching seems to point to using ntlm_auth for this sort of thing.
> > > PS: I have tried using ntlm_auth to authenticate against the Samba server...
> > > the users are able to authenticate correctly, but still need to
> > > re-enter their credentials every time they open their browsers.
> >
> > Samba should be more than adequate in filling in the PDC role
> > in this scenario. Can you paste the relevant sections of yoru
> > squid conf?
> >
> >
> > --
> > /kinkie
>
> Thanks for the quick reply. My squid.conf in part is as follows:
>
> auth_param basic program /usr/sbin/squid_ldap_auth -b "ou=Users,dc=nsc" -f "uid=%s"
> auth_param basic children 5
> auth_param basic credentialsttl 1 hour
> auth_param basic casesensitive on
> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -v3 -b "ou=Groups,dc=nsc" -f "(&(cn=%g)(memberuid=%u))"
> localhost
> acl localnet proxy_auth REQUIRED src 192.168.1.0/24
> acl group_admin external ldap_group admin
> acl group_domainAdmins external ldap_group "/etc/squid/groups_domainAdmins"

This explains things..
If you wish to have transparent authentication, then you need to use
the "ntlm" authentication scheme ("kerberos" too could work, but it's
still not supported by Microsoft clients).
You can check for details on the squid wiki.

-- 
 /kinkie
Received on Sat Mar 29 2008 - 08:22:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT