Search squid archive

Re: Transparent LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 28, 2008 at 10:43 PM, Philip Kloppers
<philip@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> > > I have an OpenSuse 10.2 box that runs Samba / OpenLDAP as a PDC, as
>  > > well as  Squid with delay pools to limit bandwidth dependant upon
>  > > user, group, time  of day and machine. I have managed to get
>  > > everything working and  authenticating correctly using smb_ldap_auth
>  > > and smb_ldap_group. However, I  would like to get the clients to
>  > > authenticate transparently using the domain  credentials from the
>  > > initial domain logon, and not having to re-authenticate every time they open the browser.
>  > >
>  > >  The clients (mostly XP with a few FreeNX terminals on various Linux
>  > >  flavours) are all set up to use the proxy, and then iptables rules
>  > > blocking  users from bypassing the proxy, so I am not transparently
>  > > intercepting web  traffic, as I understand that authentication cannot
>  > > be used with a  transparent proxy.
>  > >
>  > >  Is single sign-on a possibility without using an M$ PDC? All the
>  > > searching  seems to point to using ntlm_auth for this sort of thing.
>  > >  PS: I have tried using ntlm_auth to authenticate against the Samba server...
>  > >  the users are able to authenticate correctly, but still need to
>  > > re-enter  their credentials every time they open their browsers.
>  >
>  > Samba should be more than adequate in filling in the PDC role
>  > in this scenario. Can you paste the relevant sections of yoru
>  > squid conf?
>  >
>  >
>  > --
>  >  /kinkie
>
>  Thanks for the quick reply. My squid.conf in part is as follows:
>
>  auth_param basic program /usr/sbin/squid_ldap_auth -b "ou=Users,dc=nsc" -f "uid=%s"
>  auth_param basic children 5
>  auth_param basic credentialsttl 1 hour
>  auth_param basic casesensitive on
>  external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -v3 -b "ou=Groups,dc=nsc" -f "(&(cn=%g)(memberuid=%u))"
>  localhost
>  acl localnet proxy_auth REQUIRED src 192.168.1.0/24
>  acl group_admin         external ldap_group admin
>  acl group_domainAdmins  external ldap_group "/etc/squid/groups_domainAdmins"

This explains things..
If you wish to have transparent authentication, then you need to use
the "ntlm" authentication scheme ("kerberos" too could work, but it's
still not supported by Microsoft clients).
You can check for details on the squid wiki.

-- 
 /kinkie
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux