Re: [squid-users] Latest greatest Active Directory Auth solution?

Thanks Joseph, I found the AD group can not be a domain local group.
Set to global it works but that's only good if you only have one
domain. Set to universal it will enumerate users in trusted domains. I
have a user in a trusted domain belonging to a global group in that
domain called internet. The global group internet in that domain is a
member of the local domain's universal group inetfullaccess. I told
ntlm_auth to require membership of the local domains inetfullaccess
group.

So the ldap_auth ldap_group method is not single signon capable?

Jeff

On Wed, Jan 21, 2009 at 4:13 PM, Joseph L. Casale
<JCasale_at_activenetwerx.com> wrote:
>>Thank you for your howto. Because of your howto I've had a test system
>>logging access by DOMAIN\Username for a while now. After through
>>review I can't see where the --require-membership-of switch is added.
>
> You add the switch to the ntlm_auth command:
> $ /usr/bin/ntlm_auth --help
> So mine looks like this:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD_DOMAIN\\AD_GROUP
>
>>I still wonder if someone is keeping track of the various AD Auth
>>mechanisms and stating out loud which is the most elegant.
>
> Well "most elegant" is a matter of perspective, just like our different
> requirements.
>
>>ntlm_auth requires Kerberos and Samba and domain membership. I don't
>>like this on a firewall box.
>>
>>Best I can tell ldap_auth and ldap_group don't require either of
>>these. Am I wrong?
>
> Yeah, I wouldn't want that there either. I haven't used the ldap_auth
> but if it can bind with the user/pass asking for access it would be
> golden in your scenario, otherwise you need anonymous binding or a service
> account, both of which aren't secure.
>
> That also won't be seamless, you'll always need to login. the ntlm_auth is
> seamless, so I achieve SSO for all my browsers here.
>
> jlc
>
> Ps. Reply to all, or rewrite the recipient to the list email ;)
>

-- 
Jug's are best when they come in pairs with a nice V a-tween em.