Search squid archive

Re: Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/09/10 00:14, guest01 wrote:
Hi,

I am stuck with a similar problem, has there been any solution for
this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5)

We are trying to achieve following:
CompanyA (us): own Active Directory domain and we are hosting the
squid web server (central forward proxy for internet access with ICAP
capabilities)
CompanyB: completely independent Active Directory Domain
(CompanyC: might use our squid soon)
(CompanyD: might use our squid soon)

We have one shared squid server which should authenticate CompanyA
with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I
don't know why, but I suppose without a domain trust I could
authenticate only one company with NTLM or kerberos and would have
troubles, right?)
NTLM is the prefered authentication method and if a Client of CompanyA
wants to lookup something in the Internet, he will be authenticated
with NTLM.
If CompanyB wants to lookup something, the Browser submits NTLM data
(valid for their domain, not ours) which are not valid for our domain
and in theory, the browser should try Basic-Authentication (e.g. LDAP)
next, but that does not happen. It still tries NTLM (Firefox as well
as IE8 on Windows 7). For further infos, look at [1],[2].

Unfortunately, I don't have much options:
- disable ntml authentication in IE8 for CompanyB and then IE only
tries LDAP which works
- authenticate CompanyA by IP and disable NTML authentication (= our
current setup)

Of course it would be possible to authenticate everybody by LDAP (we
are using a OpenLDAP metadirectory which talks to the ADs), but it is
only a Basic auth and a very bad idea

Has anybody any additional idea? How do you guys handle authentication
for multiple independent customers?

In my opinion, this is a client problem, unfortunately IE and even FF
are too dumb. From a functional perspective of view, it should be
standard to try the weaker (LDAP) authentication if the stronger
(NTLM) does not work (from a security perspective of view, I am glad
that this does not seem to work ;-)). Is there any option for the
squid to track authentication and only offer basic authentication if
ntlm failed [3]? Or anything similar?

I would appreciate any response!
best regards
Peter

Squid does not currently offer any way to selectively pick the auth methods to advertise. There are a few possible designs and someone was working on it a while back.

Stripping away auth methods which have failed is not possible. Due to the problems of: How do you deal with a user typo'd in their password? or who recently changed password but the browser still sends the old one first?.


The workaround that comes to mind is to run a "shell" squid instance for each client or at lest for each primary auth type which only does auth then funnels requests through to some parent proxy for handling.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux