Hi Joseph,
Here is a short overview what squid_kerb_ldap does.
1) A user authenticates with either NTLM (username will be NT-DOM\user)
or Kerberos (username will be user@KERB-DOM)
2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
authenticated users
3) Uses DNS SRV records to find AD server for KERB-DOM
4) Uses the Kerberos Keytab to authenticate an ldap connection to AD
using SASL/GSSAPI.
5) Searches AD if the user is member of the group given by -s ( The newer
squid_kerb_ldap version has also an -m option to allow recursive search
(e.g. check if a group is a member of another group ....)
Does this help ?
Regards
Markus
"Joseph L. Casale" <jcasale@xxxxxxxxxxxxxxxxx> wrote in message
news:CA5A491E9DEFBE4CB777DE97E21575E906BACE89@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have a mixed 2k -> 2k8r2 environment. Currently I am using ntlm_auth and
Samba
for the 2k machines, and squid_kerb_auth/squid_ldap_auth for the newer
machines to
manage access based on AD group membership.
Do I understand correctly that if I use squid_kerb_ldap with the -N I can
provide
group authentication for Kerb and NTLM based clients without an ldap bind
account
for our AD ldap server that does not accept anonymous binds?
Thanks,
jlc
