Search squid archive

Re: Sending on Group names after Kerb LDAP look-up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Nick Cairncross wrote:

Hi All,

Things seem to be going well with my Squid project so far; a combined
Mac/Windows AD environment using Kerberos authentication with fall
back of NTLM. I (hopefully) seem to be getting the hang of it! I've
been trying out the Kerberos LDAP look up tool and have a couple of
questions (I think the answers will be no..):

- Is it possible to wrap up the matched group name(s) in the header
as it gets sent onwards to my peer? I used to use the authentication


I don't think so.
There is a lot of manipulation magic you can do with the ICAP or eCAP interfaces that is not possible directly in Squid though.
The risk is breaking back-end services that can't handle the altered header. Since you say below about already doing so, I assume this is a non-risk for your network. 


agent that came from our A/V provider. This tool ran as a service and
linked into our ISA. Once a user authenticated their group membership
was forwarded along with their username to my peer (Scansafe). The
problem is that it only does NTLM auth. It added the group
(WINNT://[group]) into the header and then a rule base at the peer
site could be set up based on group. Since I am using Kerberos I
wondered whether it's possible to send the results of the Kerb LDAP
auth? I already see the user on the peer as the Kerberos login. It
would be great if I could include the group or groups...
You can do transparent login pass-thru to the peer (login=PASS). You can log Squid-3.1 into the peer with kerberos credentials. But I do not think the Kerberos details get decoded to a username/password for Squid to pass back as a pair. 



This is what I use currently: cache_peer proxy44.scansafe.net parent
8080 7 no-query no-digest no-netdb-exchange login=* (From
http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html)

- Are there plans to integrate the lookup tool in future versions of
Squid? I've enjoyed learning about compiling but.. just wondering..
No. Plans are for all network-specific adaptation to be done via external helper processes. The *CAP interfaces for add-on modules allow all the adaptation extras to be plugged in as needed in a very powerful way. Check that AV tool, it likely has an ICAP interface Squid-3 can plug into already. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
  Current Beta Squid 3.1.0.18
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux