Re: [squid-users] Re: squid client authentication against AD computer account from Manoj Rajkarnikar on 2010-09-15 (squid-users)

From: Manoj Rajkarnikar <manoj.rajkarnikar_at_gmail.com>
Date: Wed, 15 Sep 2010 12:59:03 +0545

Thanks for the quick response Marcus.

The reason I need to limit computer account and not user account is
that people here move out to distant branches and the internet access
policy is to allow to the position they hold, and thus the computer
they will use.

I've successfully setup the kerberos authentication but I don't see
how squid will fetch the computer information from client request and
authorize it based on the group membership in AD. What I wish to
accomplish is:

1. create a security group in AD
2. add computer accounts to this security group
3. squid checks if the computer trying to access internet is member of
this security group.
4. if not, don't allow access to internet or request of AD user login
that is allowed.

I'm not sure if this is achievable.

Thanks for the help.
Manoj

On Wed, Sep 15, 2010 at 12:28 AM, Markus Moeller
<huaraz_at_moeller.plus.com> wrote:
>
> "Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
> news:AANLkTinGXTOwX+AysRVGoasEiqRS1qrMX2VYM8t5i3Aj_at_mail.gmail.com...
>>
>> Hi all.
>>
>> I've been trying to setup this squid box with authentication to AD
>> 2003 server. The need in our situation is to allow the workstation
>> allow access to internet and not the user since the users are always
>> moving from station to station. I've already setup kerberos
>> authentication successfully. I've searched through the list for any
>> thing related to authorizing computer account but found none..
>>
>
> Why do you want to limit the computer not the user ? I assume the user login
> to the stations with their credentials, so moving stations should not be an
> issue or ?
>
>> I'm not very familiar with ldap queries. any help would be greatly
>> appreciated.. i'm trying to use squid_kerb_ldap for ldap
>> authorization...
>>
>>
>
> squid_kerb_ldap will connect to AD and determines if a user is a member of
> an AD group. The connection to AD is authenticated using the Kerbeors key
> from the squid keytab file and the AD server is found by using SRV DNS
> records which are usually defined in a Windows environment with AD.
>
>> Thank you very much for your help.
>>
>> Regards
>> Manoj
>>
>
>
>
Received on Wed Sep 15 2010 - 07:14:07 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 21 2010 - 12:00:03 MDT