>Thank you for your howto. Because of your howto I've had a test system >logging access by DOMAIN\Username for a while now. After through >review I can't see where the --require-membership-of switch is added. You add the switch to the ntlm_auth command: $ /usr/bin/ntlm_auth --help So mine looks like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD_DOMAIN\\AD_GROUP >I still wonder if someone is keeping track of the various AD Auth >mechanisms and stating out loud which is the most elegant. Well "most elegant" is a matter of perspective, just like our different requirements. >ntlm_auth requires Kerberos and Samba and domain membership. I don't >like this on a firewall box. > >Best I can tell ldap_auth and ldap_group don't require either of >these. Am I wrong? Yeah, I wouldn't want that there either. I haven’t used the ldap_auth but if it can bind with the user/pass asking for access it would be golden in your scenario, otherwise you need anonymous binding or a service account, both of which aren’t secure. That also won't be seamless, you'll always need to login. the ntlm_auth is seamless, so I achieve SSO for all my browsers here. jlc Ps. Reply to all, or rewrite the recipient to the list email ;)
