[squid-users] Re: Re: squid_kerb_ldap clarification

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 6 Aug 2010 08:09:42 +0100

>"Joseph L. Casale" <jcasale_at_activenetwerx.com> wrote in message
>news:CA5A491E9DEFBE4CB777DE97E21575E906BB0C12_at_prato.activenetwerx.local...
>> Here is a short overview what squid_kerb_ldap does.
>> 1) A user authenticates with either NTLM (username will be
>> NT-DOM\user)
>>or Kerberos (username will be user_at_KERB-DOM)
>> 2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
>>authenticated users
>> 3) Uses DNS SRV records to find AD server for KERB-DOM
>> 4) Uses the Kerberos Keytab to authenticate an ldap connection to AD
>>using SASL/GSSAPI.
>> 5) Searches AD if the user is member of the group given by -s ( The
>> newer
>>squid_kerb_ldap version has also an -m option to allow recursive search
>>(e.g. check if a group is a member of another group ....)
>>
>> Does this help ?
>
>Markus,
>Sure does... So by creating a computer account in AD, I can avoid the LDAP
>bind account I was using with the older squid_ldap_auth helper, great.
>

Correct, assuming the account has been created correctly (e.g. it has to
have serviceprincipalname=HTTP/<fqdn> AND
userprincipalname=HTTP/<fqdn>@KERB-DOM set)

>Thanks!
>jlc

Markus
Received on Fri Aug 06 2010 - 07:10:19 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 06 2010 - 12:00:01 MDT