On 18/09/10 00:14, guest01 wrote:
Hi, I am stuck with a similar problem, has there been any solution for this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5) We are trying to achieve following: CompanyA (us): own Active Directory domain and we are hosting the squid web server (central forward proxy for internet access with ICAP capabilities) CompanyB: completely independent Active Directory Domain (CompanyC: might use our squid soon) (CompanyD: might use our squid soon) We have one shared squid server which should authenticate CompanyA with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I don't know why, but I suppose without a domain trust I could authenticate only one company with NTLM or kerberos and would have troubles, right?) NTLM is the prefered authentication method and if a Client of CompanyA wants to lookup something in the Internet, he will be authenticated with NTLM. If CompanyB wants to lookup something, the Browser submits NTLM data (valid for their domain, not ours) which are not valid for our domain and in theory, the browser should try Basic-Authentication (e.g. LDAP) next, but that does not happen. It still tries NTLM (Firefox as well as IE8 on Windows 7). For further infos, look at [1],[2]. Unfortunately, I don't have much options: - disable ntml authentication in IE8 for CompanyB and then IE only tries LDAP which works - authenticate CompanyA by IP and disable NTML authentication (= our current setup) Of course it would be possible to authenticate everybody by LDAP (we are using a OpenLDAP metadirectory which talks to the ADs), but it is only a Basic auth and a very bad idea Has anybody any additional idea? How do you guys handle authentication for multiple independent customers? In my opinion, this is a client problem, unfortunately IE and even FF are too dumb. From a functional perspective of view, it should be standard to try the weaker (LDAP) authentication if the stronger (NTLM) does not work (from a security perspective of view, I am glad that this does not seem to work ;-)). Is there any option for the squid to track authentication and only offer basic authentication if ntlm failed [3]? Or anything similar? I would appreciate any response! best regards Peter
Squid does not currently offer any way to selectively pick the auth methods to advertise. There are a few possible designs and someone was working on it a while back.
Stripping away auth methods which have failed is not possible. Due to the problems of: How do you deal with a user typo'd in their password? or who recently changed password but the browser still sends the old one first?.
The workaround that comes to mind is to run a "shell" squid instance for each client or at lest for each primary auth type which only does auth then funnels requests through to some parent proxy for handling.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2
