[squid-users] Sending on Group names after Kerb LDAP look-up from Nick Cairncross on 2010-03-22 (squid-users)

From: Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>
Date: Mon, 22 Mar 2010 15:28:29 +0000

Hi All,

Things seem to be going well with my Squid project so far; a combined Mac/Windows AD environment using Kerberos authentication with fall back of NTLM. I (hopefully) seem to be getting the hang of it!
I've been trying out the Kerberos LDAP look up tool and have a couple of questions (I think the answers will be no..):

- Is it possible to wrap up the matched group name(s) in the header as it gets sent onwards to my peer?
I used to use the authentication agent that came from our A/V provider. This tool ran as a service and linked into our ISA. Once a user authenticated their group membership was forwarded along with their username to my peer (Scansafe). The problem is that it only does NTLM auth. It added the group (WINNT://[group]) into the header and then a rule base at the peer site could be set up based on group. Since I am using Kerberos I wondered whether it's possible to send the results of the Kerb LDAP auth? I already see the user on the peer as the Kerberos login. It would be great if I could include the group or groups...

This is what I use currently: cache_peer proxy44.scansafe.net parent 8080 7 no-query no-digest no-netdb-exchange login=*
(From http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html)

- Are there plans to integrate the lookup tool in future versions of Squid? I've enjoyed learning about compiling but.. just wondering..

Thanks again in advance,

Nick

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Mon Mar 22 2010 - 15:30:34 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT