Hi,
I'm trying to build a completely Kerberos-based Squid proxy setup for
my company. Everything that's even remotely possible with Kerberos, we're
supposed to do with it.
Kerberos authentication on Squid 3.1 works easily, so the next step
would be to make squid_ldap_group work with Kerberos, too. We expected
this to already be possible, since there is a mailinglist message from
2004[1] in which Diego Woitasen contributes a patch to make
squid_ldap_group do Kerberos authenticated LDAP queries.
But then, in 2006, Henrik Nordstrom says[2] neither squid_ldap_group nor
squid_ldap_auth support Kerberos SSO. After the initial posting of the
patch in '04, I can't find any more references to it on the
mailinglists.
Looking through the current 3.1.4 sourcecode, there doesn't seem to be any
Kerberos SSO code in either helper module. I've tried looking for newer
versions of squid_ldap_group on marasystems.com, as suggested by the
README, but that only results in a 404. The ChangeLog stops in '05. Has
development on squid_ldap_group stopped in favor of mswin_ad_group or
something?
Was the original Kerberos patch from 2004 rejected? If so, why? Is
there any way I can help getting Kerberos SSO appear in
squid_ldap_group?
As a start, I've cleaned up and attached the original patch from 2004.
It still applies, builds and works nicely, even on Squid 3.1 on Fedora
13 / EL6beta, with recent LDAP, Kerberos and SASL libraries. It needs
to be compiled with LDFLAGS='-lkrb5 -lsasl2' and CFLAGS='-DCYRUS_SASL',
so it will need some tuning of the main configure script.
Hope this helps.
Regards,
-- Maxim Burgerhout maxim_at_wzzrd.com [1] http://www.squid-cache.org/mail-archive/squid-users/200410/0644.html [2] http://www.squid-cache.org/mail-archive/squid-users/200602/0214.html
This archive was generated by hypermail 2.2.0 : Mon Aug 30 2010 - 12:00:03 MDT