Dear Markus, That cleared/explained a lot to me and given me direction for developing a better understanding of the whole concept. Thanks a lot. regards, Bilal ---------------------------------------- > To: squid-users@xxxxxxxxxxxxxxx > From: huaraz@xxxxxxxxxxxxxxxx > Date: Tue, 6 Apr 2010 20:14:32 +0100 > Subject: Re: Re: SSO with Active Directory-Squid Clients > > Hi Bilal, > > It is a bit more complicated. it is not a pure Kerberos authentication but > a Negotiate/Kerberos authentication. > > If you have a Windows client and the proxy send WWW-Proxy-Authorize: > Negotiate the Windows client will try first to get a Kerberos ticket and if > that succeeds sends a Negotiate response with a Kerberos token to the proxy. > If the Windows client fails to get a Kerberos ticket the client will send a > Negotiate response with a NTLM token to the proxy. Unfortunately there is > yet no squid helper which can handle both a Negotiate/Kerberos response and > a Negotiate/NTLM response (although maybe the samba ntlm helper can). So > there is a fallback when you use Negotiate, but it has some caveats. > > Regarding your second point I can not really judge which one is better I > think it will depend on your environment. > > Regards > Markus > > "GIGO ." wrote in message > news:SNT134-w101CBED44254F957CDA154B9180@xxxxxxxxxx > > Dear Markus, > > Please i have few confusions which i want to satisfy. > > 1. If kerberos Authentication fails then what would be the fallback behavior > would the Basic authentication to Ldap will be used instead? Does it need to > be defined? what is the best strategy as Basic Authentication will be in > clear text. In microsoft Environment the fallback is to NTLM authentication > if kerberos fails isnt it a better strategy. > > > > 2. Isnt it better to use the combinition of kerberos/ldap only for SSO with > active directory? Why winbind/Samba is referred in many tutorials while to > me it look redundant? does it give any additional benefit or is it more > stable? can u please enlighten me. > > > > > regards, > Bilal > > ---------------------------------------- >> To: squid-users@xxxxxxxxxxxxxxx >> From: huaraz@xxxxxxxxxxxxxxxx >> Date: Sat, 3 Apr 2010 13:34:15 +0100 >> Subject: Re: SSO with Active Directory-Squid Clients >> >> Have a look at >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and >> http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download >> >> Regards >> Markus >> >> "GIGO ." wrote in message >> news:SNT134-w171836624CE7937AD90D3EB91B0@xxxxxxxxxx >> >> Dear All/Amos, >> >> I want to allow certain(not all) Active Directory users to use squid by >> way >> of SSO with Active Directory. So means when any one from those specific >> users will login into Active Directory they should have automatically >> access >> to internet via Squid Proxy. Other AD users which have not permissions >> granted in Squid will be disallowed. Is it possible? How please guide in >> detail. >> >> >> This was my assumption of how it would be done: >> >> I needed to compile squid with these additional >> options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm" >> --enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth" >> Right?? >> >> >> I need to configure krb5.conf to point to AD as Default_realm on CENTOS >> 5.4 >> to right? >> >> >> I think that i must need to make Centos 5.4 member of the domain? Am i >> right >> or its not necessary >> >> >> How these specific AD users(with internet access allowed) will be >> told/mentioned to the squid? >> >> >> >> I have also studied your article >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print >> >> However this is allowing all(not specific) Active Directory or LDAP users >> internet access. This logic is just checking the validity of user account >> with Active directory by popping up a login/password and if succeeded >> network access is granted. Am i right? >> >> >> >> Bottom line is that i am completely lost and have not much idea what and >> how >> to do it. We previously are using Microsoft ISA server and are about to >> move >> to Squid and this requirement is very necessary. >> >> >> regards, >> >> Bilal Aslam >> >> >> >> >> >> >> >> >> >> >> _________________________________________________________________ >> Hotmail: Free, trusted and rich email service. >> https://signup.live.com/signup.aspx?id=60969 >> >> > _________________________________________________________________ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. > https://signup.live.com/signup.aspx?id=60969 > > _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
