>Thanks Joseph, I found the AD group can not be a domain local group. >Set to global it works but that's only good if you only have one >domain. Set to universal it will enumerate users in trusted domains. I >have a user in a trusted domain belonging to a global group in that >domain called internet. The global group internet in that domain is a >member of the local domain's universal group inetfullaccess. I told >ntlm_auth to require membership of the local domains inetfullaccess >group. > >So the ldap_auth ldap_group method is not single signon capable? Hrm, I am not sure what happens here, I have seen nested groups break lots more than just squid? I haven’t used LDAP in squid, but I can't see how it could possibly do SSO? LDAP does not know anything about a password hash (that a user would have after logging in to the domain). That’s why I use an ntlm method, users open their browser and it passes the credentials along to be checked versus an LDAP method which will prompt for auth, then check it by either binding anonymously or with a service account/prompted users creds for whether or not the user exists and has perms. jlc
