Search squid archive

Re: Squid Ldap Authen + AD:how to make authentication persistent?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/06/11 16:29, เชต wrote:
Hi all,
     I've just config the squid proxy server to authenticate users to
Microsoft Active Directory. Everything seem fine except squid keep
asking username/password every time users open new web browser or
switch to other web browser like it check for some session variable in
each browser instances.

Exactly so.

HTTP is stateless. The browser is required to authenticate with every request. The fact it is not asking for login several dozen times per web page is that the browser stores it.

You can expect different tabs, windows, browsers, machines, and in fact machines of people on the other branches of your company, not to be aware of the particular login credentials needed when they are first started.

The popup itself has nothing to do with Squid. It is just something the browser does when it cannot find any credentials to send. Its "last chance" method if getting credentials is to ask the user.

You can avoid users seeing it by allowing the browser to access credentials in other ways. For example; * the Windows operating system allows IE to access NTLM or Negotiate credentials. * other OS store Negotiate credentials in a keytab you can allow the browser to access. * some OS allow the proxy Basic auth login details to be set in the environment http_proxy variables.
 * some from stored values in a password manager.



    Suppose I've already authenticated my self while using google
chrome and open any new tabs on that chrome instance, there will be no
problem but if I open the new Chrome from desktop shortcut (new
instance), squid will ask for the password for this chrome again. This
also occurred when I switch to IE.
    And if I close all browser tabs/windows previously authenticated
then reopen the new browser, squid will ask password again.
    Is there a way to make squid only ask password for each users
computer/ip etc, once per day or at least a period of time (such as 8
hours). I've tried auth_param basic credentialttl 8 hours but nothing
difference.


For Basic auth in Squid-2.7 there is
http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_ttl/

It has been dropped from Squid-3 releases. You can instead use an external_acl_type helper to maintain a session and permit access based on IP address, passing username back to Squid for the log.

NOTE:
* users can login to other users accounts by simply sitting at their machine some hours later (even a full reboot does not protect). * when DHCP assigns an IP to someone, that person inherits all login privileges of any previous user * users can tweak their machine IP and instantly get that persons login access.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux