Re: [squid-users] Squid Ldap Authen + AD:how to make authentication persistent?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 18 Jun 2011 02:35:17 +1200

On 17/06/11 16:29, เชต wrote:
> Hi all,
> I've just config the squid proxy server to authenticate users to
> Microsoft Active Directory. Everything seem fine except squid keep
> asking username/password every time users open new web browser or
> switch to other web browser like it check for some session variable in
> each browser instances.

Exactly so.

HTTP is stateless. The browser is required to authenticate with every
request. The fact it is not asking for login several dozen times per web
page is that the browser stores it.

You can expect different tabs, windows, browsers, machines, and in fact
machines of people on the other branches of your company, not to be
aware of the particular login credentials needed when they are first
started.

The popup itself has nothing to do with Squid. It is just something the
browser does when it cannot find any credentials to send. Its "last
chance" method if getting credentials is to ask the user.

You can avoid users seeing it by allowing the browser to access
credentials in other ways. For example;
  * the Windows operating system allows IE to access NTLM or Negotiate
credentials.
  * other OS store Negotiate credentials in a keytab you can allow the
browser to access.
  * some OS allow the proxy Basic auth login details to be set in the
environment http_proxy variables.
  * some from stored values in a password manager.

> Suppose I've already authenticated my self while using google
> chrome and open any new tabs on that chrome instance, there will be no
> problem but if I open the new Chrome from desktop shortcut (new
> instance), squid will ask for the password for this chrome again. This
> also occurred when I switch to IE.
> And if I close all browser tabs/windows previously authenticated
> then reopen the new browser, squid will ask password again.
> Is there a way to make squid only ask password for each users
> computer/ip etc, once per day or at least a period of time (such as 8
> hours). I've tried auth_param basic credentialttl 8 hours but nothing
> difference.

For Basic auth in Squid-2.7 there is
http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_ttl/

It has been dropped from Squid-3 releases. You can instead use an
external_acl_type helper to maintain a session and permit access based
on IP address, passing username back to Squid for the log.

NOTE:
  * users can login to other users accounts by simply sitting at their
machine some hours later (even a full reboot does not protect).
  * when DHCP assigns an IP to someone, that person inherits all login
privileges of any previous user
  * users can tweak their machine IP and instantly get that persons
login access.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
Received on Fri Jun 17 2011 - 14:35:28 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 17 2011 - 12:00:02 MDT