Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

Hi,

I am stuck with a similar problem, has there been any solution for
this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5)

We are trying to achieve following:
CompanyA (us): own Active Directory domain and we are hosting the
squid web server (central forward proxy for internet access with ICAP
capabilities)
CompanyB: completely independent Active Directory Domain
(CompanyC: might use our squid soon)
(CompanyD: might use our squid soon)

We have one shared squid server which should authenticate CompanyA
with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I
don't know why, but I suppose without a domain trust I could
authenticate only one company with NTLM or kerberos and would have
troubles, right?)
NTLM is the prefered authentication method and if a Client of CompanyA
wants to lookup something in the Internet, he will be authenticated
with NTLM.
If CompanyB wants to lookup something, the Browser submits NTLM data
(valid for their domain, not ours) which are not valid for our domain
and in theory, the browser should try Basic-Authentication (e.g. LDAP)
next, but that does not happen. It still tries NTLM (Firefox as well
as IE8 on Windows 7). For further infos, look at [1],[2].

Unfortunately, I don't have much options:
- disable ntml authentication in IE8 for CompanyB and then IE only
tries LDAP which works
- authenticate CompanyA by IP and disable NTML authentication (= our
current setup)

Of course it would be possible to authenticate everybody by LDAP (we
are using a OpenLDAP metadirectory which talks to the ADs), but it is
only a Basic auth and a very bad idea

Has anybody any additional idea? How do you guys handle authentication
for multiple independent customers?

In my opinion, this is a client problem, unfortunately IE and even FF
are too dumb. From a functional perspective of view, it should be
standard to try the weaker (LDAP) authentication if the stronger
(NTLM) does not work (from a security perspective of view, I am glad
that this does not seem to work ;-)). Is there any option for the
squid to track authentication and only offer basic authentication if
ntlm failed [3]? Or anything similar?

I would appreciate any response!
best regards
Peter

additional infos:
[1] http://img830.imageshack.us/img830/3920/squidntlmnotworking.png

[2] squid config:
#NTLM
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

# LDAP authentication
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 120 minute
auth_param basic program /opt/squid/libexec/squid_ldap_auth -b
"dc=squid-proxy" -D "uid=user...." -w passwd -h server -f "(uid=%s)"

[3] Tcpdump show me the header with following infos (squid offers ntlm
and basic):
GET http://fxfeeds.mozilla.com/en-US/firefox/headlines.xml HTTP/1.1
Host: fxfeeds.mozilla.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1)
Gecko/20090624 Firefox/3.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
X-Moz: livebookmarks

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.8
Mime-Version: 1.0
Date: Fri, 17 Sep 2010 10:09:12 GMT
Content-Type: text/html
Content-Length: 1482
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Proxy"
X-Cache: MISS from xlsqip02_1
Via: 1.0 xlsqip02_1 (squid/3.1.8)
Connection: keep-alive

On Fri, Aug 13, 2010 at 4:01 PM, Tom Tux <tomtux80_at_gmail.com> wrote:
> Hi
>
> I run squid with the named debug-options. The "cache.log"-output seems
> a little bit complicated. So the only way I see, is to have a remarked
> native ldap-authentication-configuration, which I can enable, if the
> kerberos-mechanism fails.
>
> Or does somebody has such a config (kerberos with squid_kerb_ldap to
> get ad-groups AND squid_ldap_auth with a memberOf-filter) running?
>
> Thanks a lot.
> Regards,
> Tom
>
> 2010/8/11 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Tom Tux wrote:
>>>
>>> Hi Amos
>>>
>>> Thanks a lot for this explanation. Both configurations seperately -
>>> native kerberos and native ldap - are working fine. But in
>>> combination, there is still one problem.
>>>
>>> Here is my actual configuration (combined two mechanism) again:
>>>
>>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
>>> auth_param negotiate children 50
>>> auth_param negotiate keep_alive on
>>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers"
>>> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>>>
>>> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600
>>> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g
>>> "DenyInternetUsers"
>>> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP
>>>
>>> # LDAP-Fallback
>>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
>>> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f
>>>
>>> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))"
>>> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx
>>> auth_param basic children 20
>>> auth_param basic realm "Internet Access"
>>> auth_param basic credentialsttl 2 hour
>>> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED src 0.0.0.0
>>
>> The "src" and "0.0.0.0" usernames (yes *usernames*) should be ignored by
>> Squid.
>>
>>>
>>>
>>> And here the relevant part of the http_access-directives:
>>> http_access deny DENY_INTERNET_ACCESS
>>> http_access deny !INTERNET_ACCESS
>>> http_access deny !INTERNET_ACCESS_LDAP
>>> http_access allow INTERNET_ACCESS
>>> http_access allow INTERNET_ACCESS_LDAP
>>> http_access deny all
>>>
>>> With this configuration, I'm able to access with kerberos, but never
>>> with ldap. I always got a "access denied". What directives do I have
>>> to change/add, to get both accesses (kerberos & ldap)?
>>
>> Run Squid with "debug_options 82,3 28,3" to check which ACLs are matching
>> and which denying.
>>
>> I notice the !INTERNET_ACCESS is required to pass before anything is
>> allowed. It could be that your Basic protocol credentials are not being
>> accepted by the Negotiate/Kerberos protocol group helper and inverting into
>> a deny.
>>
>> Amos
>> --
>> Please be using
>>  Current Stable Squid 2.7.STABLE9 or 3.1.6
>>  Beta testers wanted for 3.2.0.1
>>
>
Received on Fri Sep 17 2010 - 12:14:31 MDT