I'll explain better:
Squid is running on Debian 5 older server and every Windows (XP/7/10)
client uses it to surf on web.
Clients are configured in outofdate Microsoft domain where Domain
Controllers are based on Windows 2000 server.
So far I permit Internet access to clients by specify IP address of
computers in squid.conf file but now I'd like to manage internet access
by asking to user its AD credentials.
Now I'm not able to update systems so I have to schedule it upgrade for
next year.
Look into Negotiate/Kerberos authentication. You will need that for
the Win7 and Win10 clients anyway
For Windows 7/10 clients, the Basic authentication (Squid 2.7) with
LDAP helper will not able to work ?
While Kerberos will work both with older clients and newer ones?
Il 02.05.2016 13:43 Amos Jeffries ha scritto:
On 2/05/2016 6:39 p.m., Sampei wrote:
I'm going to configure Squid 2.7 Stable3 to authenticate clients
(Windows XP/7/10) in Active Directory environment (Windows 2000
server).
You have my most sincere condolences.
Squid-3.5 is available for Windows. see
. At least
you can update that component.
That is assuming Squid is running on a Windows box at all. There is
no
need for it to do so. You might find it better to run Squid on a
non-Windows machine with Samba integration to the AD server. There
are
socket limitations imposed by Windows that can make Squid peak
service
x10 slower than on any other OS.
I used directive "auth_param basic program /usr/lib/squid/ldap_auth
-v3
..." but I read basic authentication is extremely weak and It
transmits
user passwords as cleartext.
Lets put it this way. Clear text password in Basic authentication is
slightly more secure today than the encrypted NTLM implemented in
that
Windows 2000 server you are using.
(And neither one is a good choice unless the transport itself is
encrypted, ie TLS / HTTPS).
How can I transmit encrypted credentials
Microsoft AD LDAP interface requires Basic authentication with
cleartext
passwords. It is a limit imposed by the Microsoft implementation of
AD.
Nobody I'm aware of has ever been able to adequately explain why, but
use of secure credentials was never implemented for their LDAP
interface.
There are other AD interfaces than LDAP though, and they actually
allow
more secure credentials to be used. Look into Negotiate/Kerberos
authentication. You will need that for the Win7 and Win10 clients
anyway.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx [2]
http://lists.squid-cache.org/listinfo/squid-users [3]
Links:
------
[1] http://wiki.squid-cache.org/KnowledgeBase/Windows#Squid-3.5
[2] mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx
[3] http://lists.squid-cache.org/listinfo/squid-users
Con Tutto Incluso Light navighi fino a 20 Mega senza limiti e chiami a
0 cent/minuto verso tutti i fissi e i mobili in Italia a 19,95 euro/mese
per sempre. In piu' ora l'attivazione e' Gratis! http://casa.tiscali.it/
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
