[squid-users] Re: SSO with Active Directory-Squid Clients from Markus Moeller on 2010-04-03 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 3 Apr 2010 13:34:15 +0100

Have a look at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and
http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download

Regards
Markus

"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w171836624CE7937AD90D3EB91B0_at_phx.gbl...

Dear All/Amos,

I want to allow certain(not all) Active Directory users to use squid by way
of SSO with Active Directory. So means when any one from those specific
users will login into Active Directory they should have automatically access
to internet via Squid Proxy. Other AD users which have not permissions
granted in Squid will be disallowed. Is it possible? How please guide in
detail.

This was my assumption of how it would be done:

I needed to compile squid with these additional
options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm"
--enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth"
Right??

I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4
to right?

I think that i must need to make Centos 5.4 member of the domain? Am i right
or its not necessary

How these specific AD users(with internet access allowed) will be
told/mentioned to the squid?

I have also studied your article
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print

However this is allowing all(not specific) Active Directory or LDAP users
internet access. This logic is just checking the validity of user account
with Active directory by popping up a login/password and if succeeded
network access is granted. Am i right?

Bottom line is that i am completely lost and have not much idea what and how
to do it. We previously are using Microsoft ISA server and are about to move
to Squid and this requirement is very necessary.

regards,

Bilal Aslam

_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
Received on Sat Apr 03 2010 - 12:34:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 06 2010 - 12:00:03 MDT