Search squid archive

Re: Squid auto-ldap (AD) authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Mansour wrote:
Hi,

I've gone through the instructions here:

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory


which allowed me to setup Windows AD authentication from a Squid
proxy running on Linux.

Works fine, but what I want to do is not have to have people be
prompted for a username and password from within their browser (and
then have Squid authenticate that against AD).

That is, can Squid figure out the username and password from the
machine setup to access the proxy, and auto-authenticate that
username and password with AD, and if successful allow them use of
the proxy?

Lets get this clear:

You want Squid to hack its way into the connecting users private machine, unlock their security settings, pull out whatever ones apply to the proxy, and do it without alerting the user about what's happening?

Note; people will only be made aware of the login request if the browser does not know what credentials to send to a challenging proxy.

This happens when:
 a) the browser has no knowledge of the login to be sent the challenger
b) a previous set of credentials the browser had on record and sent have failed. c) the browser has a secure credentials storage, which has not been unlocked by the user. causing (a) as a side-effect.



Note that the way this is setup currently:

* users don't have internet access unless they go through Squid

* Windows AD holds accounts and groups

* groups exist for "full internet access", "limited internet access",
"blocked sites"

* Squid uses the LDAP helper to query the username and group to
determine what access the user has to the internet

* Squid prompts for a username and password

* ACL's determine what regex files to query for allowed sites,
blocked sites etc

What I need to do is try and avoid the Squid login/password window
and just allow the Windows login people use to login to Windows (and
their AD accounts) for Squid to auto-authenticate.

Can this be done? if so, any URL's or how-to's anyone knows about?


What you want is not possible with regular authentication.

There are two security concepts here that you need to be clear on:

authorization - the information that source X is allowed/denied to connect to destination Y

 authentication - the information that source X really is source X.

The Squid ACL and access controls perform the _authorization_ part of the setup.

The authentication "challenge-response" as it is called is fundamental to how secure authentication works. Authentication credentials are just one set of details Squid uses to make decisions.


When the browser is explicitly configured (manually or via WPAD/PAC) with proxy settings most of them have the capability of responding with either pre-configured login or secure encrypted token which the proxy can check against some third-party backend. This hides the fact of challenge from the user initially but if that fails a re-challenge causes things like the visible popups.


What you are asking is to find out who the user is in a situation where the browser has sent no such username/password or token. And you do not want Squid to challenge for them. This places major restraints on what can be done.

The only thing left is something called side-band _authorization_. Where details from the request (IP is the most commonly abused) are sent to some third-party source in hopes that it will be able to identify the user. It's done by external_acl_type if the regular ACL are not enough.

But consider carefully before you replace security;
 what is going to happen if the side-band fails?
 how certain are you that the details chosen for detection are reliable?
what happens when two people send the same details? at once? one after the other?
 is it worth the risk?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux