On 10/08/2012 11:55 p.m., Rickifer Barros wrote:
Hi Eugene,
yes, that's true, but this only works together the program
squid_kerb_auth. So this require my computer inside a domain. I need
that it works with a popup to type username and password.
I tried:
- to use squid_kerb_auth with the parameter "auth_param basic program"
(DOESN'T WORK)
Taking Basic auth scheme and sending its credentials format to Kerbros
scheme helper -> FAIL.
- to use squid_ldap_auth to autenticate and squid_kerb_ldap to search.
It authenticates but doesn't search. (DOESN'T WORK)
Taking a Basic auth format username and looking up Kerberos groups with it.
could work, but Basic auth usernames do not normally have the @DOMAIN
syntax part. You will need to check users are logging in with that and
its not being stripped away anywhere.
- to use "auth_param negotiate program squid_kerb_auth" with
"squid_kerb_ldap" to search, with my computer inside a domain. (IT
WORKS!) But without username/password popup.
Kerberos is designed to operate without a popup. Move the computer
outside the domain and is might work only with popups. Or it might not.
Is there some way to join "Authentication via Popup" + "Recursive Query"?
They are completely separate operations.
external_acl_type (group lookup) does authorization. Taking the username
and checking groups. username can come from any authentication type, or
even be non-authenticated. The only thing that matters is whether the
username presented by Squid to the helper is of a format which matches
somethign in the groups database.
Amos
