Hi, I am stuck with a similar problem, has there been any solution for this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5) We are trying to achieve following: CompanyA (us): own Active Directory domain and we are hosting the squid web server (central forward proxy for internet access with ICAP capabilities) CompanyB: completely independent Active Directory Domain (CompanyC: might use our squid soon) (CompanyD: might use our squid soon) We have one shared squid server which should authenticate CompanyA with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I don't know why, but I suppose without a domain trust I could authenticate only one company with NTLM or kerberos and would have troubles, right?) NTLM is the prefered authentication method and if a Client of CompanyA wants to lookup something in the Internet, he will be authenticated with NTLM. If CompanyB wants to lookup something, the Browser submits NTLM data (valid for their domain, not ours) which are not valid for our domain and in theory, the browser should try Basic-Authentication (e.g. LDAP) next, but that does not happen. It still tries NTLM (Firefox as well as IE8 on Windows 7). For further infos, look at [1],[2]. Unfortunately, I don't have much options: - disable ntml authentication in IE8 for CompanyB and then IE only tries LDAP which works - authenticate CompanyA by IP and disable NTML authentication (= our current setup) Of course it would be possible to authenticate everybody by LDAP (we are using a OpenLDAP metadirectory which talks to the ADs), but it is only a Basic auth and a very bad idea Has anybody any additional idea? How do you guys handle authentication for multiple independent customers? In my opinion, this is a client problem, unfortunately IE and even FF are too dumb. From a functional perspective of view, it should be standard to try the weaker (LDAP) authentication if the stronger (NTLM) does not work (from a security perspective of view, I am glad that this does not seem to work ;-)). Is there any option for the squid to track authentication and only offer basic authentication if ntlm failed [3]? Or anything similar? I would appreciate any response! best regards Peter additional infos: [1] http://img830.imageshack.us/img830/3920/squidntlmnotworking.png [2] squid config: #NTLM auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on # LDAP authentication auth_param basic children 5 auth_param basic realm Proxy auth_param basic credentialsttl 120 minute auth_param basic program /opt/squid/libexec/squid_ldap_auth -b "dc=squid-proxy" -D "uid=user...." -w passwd -h server -f "(uid=%s)" [3] Tcpdump show me the header with following infos (squid offers ntlm and basic): GET http://fxfeeds.mozilla.com/en-US/firefox/headlines.xml HTTP/1.1 Host: fxfeeds.mozilla.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive X-Moz: livebookmarks HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.8 Mime-Version: 1.0 Date: Fri, 17 Sep 2010 10:09:12 GMT Content-Type: text/html Content-Length: 1482 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en-us Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="Proxy" X-Cache: MISS from xlsqip02_1 Via: 1.0 xlsqip02_1 (squid/3.1.8) Connection: keep-alive On Fri, Aug 13, 2010 at 4:01 PM, Tom Tux <tomtux80@xxxxxxxxx> wrote: > Hi > > I run squid with the named debug-options. The "cache.log"-output seems > a little bit complicated. So the only way I see, is to have a remarked > native ldap-authentication-configuration, which I can enable, if the > kerberos-mechanism fails. > > Or does somebody has such a config (kerberos with squid_kerb_ldap to > get ad-groups AND squid_ldap_auth with a memberOf-filter) running? > > Thanks a lot. > Regards, > Tom > > 2010/8/11 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> Tom Tux wrote: >>> >>> Hi Amos >>> >>> Thanks a lot for this explanation. Both configurations seperately - >>> native kerberos and native ldap - are working fine. But in >>> combination, there is still one problem. >>> >>> Here is my actual configuration (combined two mechanism) again: >>> >>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i >>> auth_param negotiate children 50 >>> auth_param negotiate keep_alive on >>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers" >>> acl INTERNET_ACCESS external SQUID_KERB_LDAP >>> >>> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600 >>> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g >>> "DenyInternetUsers" >>> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP >>> >>> # LDAP-Fallback >>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R >>> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f >>> >>> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))" >>> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx >>> auth_param basic children 20 >>> auth_param basic realm "Internet Access" >>> auth_param basic credentialsttl 2 hour >>> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED src 0.0.0.0 >> >> The "src" and "0.0.0.0" usernames (yes *usernames*) should be ignored by >> Squid. >> >>> >>> >>> And here the relevant part of the http_access-directives: >>> http_access deny DENY_INTERNET_ACCESS >>> http_access deny !INTERNET_ACCESS >>> http_access deny !INTERNET_ACCESS_LDAP >>> http_access allow INTERNET_ACCESS >>> http_access allow INTERNET_ACCESS_LDAP >>> http_access deny all >>> >>> With this configuration, I'm able to access with kerberos, but never >>> with ldap. I always got a "access denied". What directives do I have >>> to change/add, to get both accesses (kerberos & ldap)? >> >> Run Squid with "debug_options 82,3 28,3" to check which ACLs are matching >> and which denying. >> >> I notice the !INTERNET_ACCESS is required to pass before anything is >> allowed. It could be that your Basic protocol credentials are not being >> accepted by the Negotiate/Kerberos protocol group helper and inverting into >> a deny. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.6 >> Beta testers wanted for 3.2.0.1 >> >