> > I have an OpenSuse 10.2 box that runs Samba / OpenLDAP as a PDC, as > > well as Squid with delay pools to limit bandwidth dependant upon > > user, group, time of day and machine. I have managed to get > > everything working and authenticating correctly using smb_ldap_auth > > and smb_ldap_group. However, I would like to get the clients to > > authenticate transparently using the domain credentials from the > > initial domain logon, and not having to re-authenticate every time they open the browser. > > > > The clients (mostly XP with a few FreeNX terminals on various Linux > > flavours) are all set up to use the proxy, and then iptables rules > > blocking users from bypassing the proxy, so I am not transparently > > intercepting web traffic, as I understand that authentication cannot > > be used with a transparent proxy. > > > > Is single sign-on a possibility without using an M$ PDC? All the > > searching seems to point to using ntlm_auth for this sort of thing. > > PS: I have tried using ntlm_auth to authenticate against the Samba server... > > the users are able to authenticate correctly, but still need to > > re-enter their credentials every time they open their browsers. > > Samba should be more than adequate in filling in the PDC role > in this scenario. Can you paste the relevant sections of yoru > squid conf? > > > -- > /kinkie Thanks for the quick reply. My squid.conf in part is as follows: auth_param basic program /usr/sbin/squid_ldap_auth -b "ou=Users,dc=nsc" -f "uid=%s" auth_param basic children 5 auth_param basic credentialsttl 1 hour auth_param basic casesensitive on external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -v3 -b "ou=Groups,dc=nsc" -f "(&(cn=%g)(memberuid=%u))" localhost acl localnet proxy_auth REQUIRED src 192.168.1.0/24 acl group_admin external ldap_group admin acl group_domainAdmins external ldap_group "/etc/squid/groups_domainAdmins" Philip
