[squid-users] NTLM or fakeauth_auth

From: <apmailist_at_free.fr>
Date: Tue, 01 Sep 2009 15:38:24 +0200

Hello,

We are switching from an LDAP authentication to an AD one.
It works GREAT either with basic [password in clear :-( ] or ntlm
authentication schemes. SSO was also requested, and works great.

We have one problem though :
- during the tests, some user accounts get locked very often. ( after 5
attempts).
We know it comes from software trying to connect to internet with older
passwords. But as we cannot guarantee it will not happen on a large scale when
we migrate,
->> I am looking for a way to prevent these accounts getting locked.

I thought of two solutions :

1.
I searched for a way to make Squid only ask 3 times in a row for a valid
credential. But couldn't find it : Any clue ?
(After three bad attempts, Squid would not send a 407, but a 200 with the error
page , maybe ?)

2.
The other solution I went for was a more relaxed authentication scheme : using
fakeauth_auth (NTLM), and basic as a failback for non-sso browsers.
The idea is the following :
IE ( the in-house main browser ) would send the windows credential in a sso way
(thus the user is logged) in an automatic way (meaning the user doesn't see it,
and cannot tamper the authentication). We rely on IE to send us the username
(windows logon credential)
Other browsers (FF) would use the basic scheme to send it's credentials.

The problem is that at least one browser that is NTLM-compatible (Opera) is able
to provide the user with a prompt during the authentication : And the user may
give any valid account, along with any password.
Here are the two lines :
auth_param ntlm program /proxy3/libexec/fakeauth_auth
auth_param basic program /proxy3/libexec/squid_ldap_auth -P -ZZ -v 3 -c 5 -t 5
-b ou=BLABLA -f(sAMAccountName=%s) -D "cn=reqaccount-BLABLA" -W
/proxy3/etc/ldapauth_prd_secretfile -h dc002.fgn.com dc003.global.fgn.com
Inverting the two lines forces all browsers to use the basic authentication.
Is there a way to do NTLM only with SSO able browsers, and then revert to BASIC
for all the others ?
I figure playing with useragent strings wouldn't be enough, because Opera can
easily masquerade as IE (or used to).

Thank you for your ideas.

Andrew
Received on Tue Sep 01 2009 - 13:38:32 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 02 2009 - 12:00:01 MDT