Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback(squid_ldap_auth)

From: Chad Naugle <Chad.Naugle_at_travimp.com>
Date: Fri, 17 Sep 2010 09:54:37 -0400

Perhaps you could install a separate squid at their sites, which in turn, routes through yours, dependant on the "inter-networking" topology between sites?

---------------------------------------------
Chad E. Naugle
Tech Support II, x. 7981
Travel Impressions, Ltd.
 

>>> Amos Jeffries <squid3_at_treenet.co.nz> 9/17/2010 9:28 AM >>>
On 18/09/10 00:14, guest01 wrote:
> Hi,
>
> I am stuck with a similar problem, has there been any solution for
> this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5)
>
> We are trying to achieve following:
> CompanyA (us): own Active Directory domain and we are hosting the
> squid web server (central forward proxy for internet access with ICAP
> capabilities)
> CompanyB: completely independent Active Directory Domain
> (CompanyC: might use our squid soon)
> (CompanyD: might use our squid soon)
>
> We have one shared squid server which should authenticate CompanyA
> with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I
> don't know why, but I suppose without a domain trust I could
> authenticate only one company with NTLM or kerberos and would have
> troubles, right?)
> NTLM is the prefered authentication method and if a Client of CompanyA
> wants to lookup something in the Internet, he will be authenticated
> with NTLM.
> If CompanyB wants to lookup something, the Browser submits NTLM data
> (valid for their domain, not ours) which are not valid for our domain
> and in theory, the browser should try Basic-Authentication (e.g. LDAP)
> next, but that does not happen. It still tries NTLM (Firefox as well
> as IE8 on Windows 7). For further infos, look at [1],[2].
>
> Unfortunately, I don't have much options:
> - disable ntml authentication in IE8 for CompanyB and then IE only
> tries LDAP which works
> - authenticate CompanyA by IP and disable NTML authentication (= our
> current setup)
>
> Of course it would be possible to authenticate everybody by LDAP (we
> are using a OpenLDAP metadirectory which talks to the ADs), but it is
> only a Basic auth and a very bad idea
>
> Has anybody any additional idea? How do you guys handle authentication
> for multiple independent customers?
>
> In my opinion, this is a client problem, unfortunately IE and even FF
> are too dumb. From a functional perspective of view, it should be
> standard to try the weaker (LDAP) authentication if the stronger
> (NTLM) does not work (from a security perspective of view, I am glad
> that this does not seem to work ;-)). Is there any option for the
> squid to track authentication and only offer basic authentication if
> ntlm failed [3]? Or anything similar?
>
> I would appreciate any response!
> best regards
> Peter

Squid does not currently offer any way to selectively pick the auth
methods to advertise. There are a few possible designs and someone was
working on it a while back.

Stripping away auth methods which have failed is not possible. Due to
the problems of: How do you deal with a user typo'd in their password?
or who recently changed password but the browser still sends the old one
first?.

The workaround that comes to mind is to run a "shell" squid instance for
each client or at lest for each primary auth type which only does auth
then funnels requests through to some parent proxy for handling.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Travel Impressions made the following annotations
-------------------------------------------------------------
"This message and any attachments are solely for the intended recipient and may contain confidential or privileged information.  If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited.  If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments.
Thank you."
Received on Fri Sep 17 2010 - 13:54:47 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 17 2010 - 12:00:03 MDT