Thanks Joseph, I found the AD group can not be a domain local group. Set to global it works but that's only good if you only have one domain. Set to universal it will enumerate users in trusted domains. I have a user in a trusted domain belonging to a global group in that domain called internet. The global group internet in that domain is a member of the local domain's universal group inetfullaccess. I told ntlm_auth to require membership of the local domains inetfullaccess group. So the ldap_auth ldap_group method is not single signon capable? Jeff On Wed, Jan 21, 2009 at 4:13 PM, Joseph L. Casale <JCasale@xxxxxxxxxxxxxxxxx> wrote: >>Thank you for your howto. Because of your howto I've had a test system >>logging access by DOMAIN\Username for a while now. After through >>review I can't see where the --require-membership-of switch is added. > > You add the switch to the ntlm_auth command: > $ /usr/bin/ntlm_auth --help > So mine looks like this: > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD_DOMAIN\\AD_GROUP > >>I still wonder if someone is keeping track of the various AD Auth >>mechanisms and stating out loud which is the most elegant. > > Well "most elegant" is a matter of perspective, just like our different > requirements. > >>ntlm_auth requires Kerberos and Samba and domain membership. I don't >>like this on a firewall box. >> >>Best I can tell ldap_auth and ldap_group don't require either of >>these. Am I wrong? > > Yeah, I wouldn't want that there either. I haven't used the ldap_auth > but if it can bind with the user/pass asking for access it would be > golden in your scenario, otherwise you need anonymous binding or a service > account, both of which aren't secure. > > That also won't be seamless, you'll always need to login. the ntlm_auth is > seamless, so I achieve SSO for all my browsers here. > > jlc > > Ps. Reply to all, or rewrite the recipient to the list email ;) > -- Jug's are best when they come in pairs with a nice V a-tween em.