> Here is a short overview what squid_kerb_ldap does. > 1) A user authenticates with either NTLM (username will be NT-DOM\user) >or Kerberos (username will be user@KERB-DOM) > 2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM >authenticated users > 3) Uses DNS SRV records to find AD server for KERB-DOM > 4) Uses the Kerberos Keytab to authenticate an ldap connection to AD >using SASL/GSSAPI. > 5) Searches AD if the user is member of the group given by -s ( The newer >squid_kerb_ldap version has also an -m option to allow recursive search >(e.g. check if a group is a member of another group ....) > > Does this help ? Markus, Sure does... So by creating a computer account in AD, I can avoid the LDAP bind account I was using with the older squid_ldap_auth helper, great. Thanks! jlc
