Re: [squid-users] Windows auto-login helper application? from Amos Jeffries on 2009-09-22 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 22 Sep 2009 23:23:05 +1200

Dale Mahalko wrote:
> I need some help with setting up a fairly secure, easy to use method
> of authenticating users of Windows XP with squid, that:
>
> * doesn't require the users to remember a name and password to use
> the proxy, and does an auto-login so I can identify the user in the
> proxy access logs
>
> * uses password encryption to prevent sniffing of passwords on the network
>
> It does not look like NTLM authentication will work because apparently
> that requires Windows to be joined to a domain before Windows will use
> that method. None of the computers are in a domain, and they can't be
> since this is a Novell network.
>
> For the life o' me, I cannot figure out how to get the LDAP-auth to
> connect to do a Novell eDir/NDS LDAP user lookup. Most searched
> discussions regarding this are incomplete, usually ending with someone
> saying "Oh I figured it out myself" and they never post what they did.
> I know our LDAP server works since I can login to it using a generic
> LDAP browser.
>
>
> At this point I would be happy with sticking a small program in each
> user's Windows roaming profile account that loads when they login and
> does the authentication for them, whenever they try to use the proxy.
>
> There is apparently no formal name for doing this sort of user-login
> though so I can't search for examples of anyone doing it since I don't
> know what to call it. Maybe: "Windows helper application squid
> authentication"?
>
> ,
>
> Actually this is how Novell's aging BorderManager proxy does it, using
> a program called the Client Trust that sits in the taskbar and talks
> to the proxy to authorize the user. It interfaces with the Novell
> client to get the user's credentials.
>
> I am not expecting or looking for anything this extravagant that also
> can talk to the Novell Client. I would be fine with a
> taskbar/background helper that just uses a simple hashed config file
> in the user's account to authenticate them with squid.
>
> (BorderManager is being retired by Novell next year and so I can't
> expect or rely on the Client Trust authenticator to continue to be
> available. And besides it is made only for BorderManager, and doesn't
> work with other proxies like squid..)
>
> ,
>
> Dale Mahalko

We have a generic LDAP how-to which may or may not be useful to you...
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap

Recent squid releases bundle an eDirectory helper for doing secure
encrypted digest authentication. That auth method is also growing in its
support from browsers etc.

Hopefully someone with a bit more experience in these auth methods will
speak up. This should give you a place to start seraching anyway. Good luck.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13

Received on Tue Sep 22 2009 - 11:23:15 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 22 2009 - 12:00:02 MDT