>Thanks Joseph, I found the AD group can not be a domain local group.
>Set to global it works but that's only good if you only have one
>domain. Set to universal it will enumerate users in trusted domains. I
>have a user in a trusted domain belonging to a global group in that
>domain called internet. The global group internet in that domain is a
>member of the local domain's universal group inetfullaccess. I told
>ntlm_auth to require membership of the local domains inetfullaccess
>group.
>
>So the ldap_auth ldap_group method is not single signon capable?
Hrm,
I am not sure what happens here, I have seen nested groups break lots more
than just squid?
I haven’t used LDAP in squid, but I can't see how it could possibly do SSO?
LDAP does not know anything about a password hash (that a user would have
after logging in to the domain). That’s why I use an ntlm method, users open
their browser and it passes the credentials along to be checked versus an
LDAP method which will prompt for auth, then check it by either binding
anonymously or with a service account/prompted users creds for whether or
not the user exists and has perms.
jlc
Received on Thu Jan 22 2009 - 13:31:27 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 22 2009 - 12:00:03 MST