>Thank you for your howto. Because of your howto I've had a test system
>logging access by DOMAIN\Username for a while now. After through
>review I can't see where the --require-membership-of switch is added.
You add the switch to the ntlm_auth command:
$ /usr/bin/ntlm_auth --help
So mine looks like this:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD_DOMAIN\\AD_GROUP
>I still wonder if someone is keeping track of the various AD Auth
>mechanisms and stating out loud which is the most elegant.
Well "most elegant" is a matter of perspective, just like our different
requirements.
>ntlm_auth requires Kerberos and Samba and domain membership. I don't
>like this on a firewall box.
>
>Best I can tell ldap_auth and ldap_group don't require either of
>these. Am I wrong?
Yeah, I wouldn't want that there either. I haven’t used the ldap_auth
but if it can bind with the user/pass asking for access it would be
golden in your scenario, otherwise you need anonymous binding or a service
account, both of which aren’t secure.
That also won't be seamless, you'll always need to login. the ntlm_auth is
seamless, so I achieve SSO for all my browsers here.
jlc
Ps. Reply to all, or rewrite the recipient to the list email ;)
Received on Wed Jan 21 2009 - 23:13:15 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 22 2009 - 12:00:03 MST