On 13/09/2016 5:40 a.m., erdosain9 wrote: > HI. > I want Single Sing on... "Single Sign-On" is the emergent behaviour of multiple pieces of software all sharing a single password manager - either to locate user credentials or to perform the authentication on the software behalf. The type(s) of authentication that can be peformed is limited only by your chosen password managers abilities: * ActiveDirectory only does SSO with NTLM or Negotiate/Kerberos credentials. * Browser password managers allow any HTTP authentication type (and some others) to be used. * operating system "wallets" differ by system. Usually restricting to TLS certificate authentication, though some allow Kerberos or Basic credentials to be stored as well. > i want can take groups to assing acl and control > bandwith, etc. What clients can do with your proxy is unrelated to whether they perform SSO or not. > I need ldap??? "need" no. Squid provides helpers for LDAP or WinBind group lookup. Worst case you could write your own (or have someone write it for you) for other types of lookup. > i know i need kerberos to sso... No you don't. see above. > but is necessary ldap for > take groups??? or with kerberos i can "take" groups?? > What do you mean by "take" ? In english 'take' is a word meaning movement of something from A to B - where the things existence in A ceases to exist during the process. (B takes from A). Looking at what group an user belongs to does not change that group or their user name. So it cannot be "taken". > by the way, > i probe this > > basic_ldap_auth -R -b "cn=Users,dc=example,dc=lan" -D > squid-probe@xxxxxxxxxxx -w 123456 -f sAMAccountName=%s -v 3 -s sub -h > 192.168.1.102 > > basic_ldap_auth: WARNING, could not bind to binddn 'Strong(er) > authentication required' > > Why this??? There are two logins: 1) the user login to the proxy. Used to send an HTTP message through the proxy. 2) the helper login to AD. Used to verify if the login (1) credentials are valid. Your AD requires a different (stronger / more secure) login of type (2) be used by the helper. Check the AD settings you have for user "squid-probe@xxxxxxxxxxx" with password "123456". That is the account this Squid helper is using to access AD. FWIW, the helper can use TLS connections to AD when the -Z option is configured. Your AD may be wanting that. > but anyway, i need ldap for take groups??? > Many types of group lookup exist; For Squid running on Windows natively: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ad_group_acl> For Squid receiving Kerberos or NTLM credentials and checking via LDAP: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html> For Squid receiving Basic credentials and checking via LDAP: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ldap_group_acl.html> For Squid receiving LanManager credentials to check against a Windows NT/2000 domain controller: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_lm_group_acl.html> For Squid receiving credentials to check against Unix group membership: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_unix_group_acl.html> For Squid receiving NTLM credentials to check against Samba, AD, or eDirectory via WinBind service: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_wbinfo_group_acl.html> > my version of squid is 3.5.20 (on Centos 7) > AD (samba 4.3.9 on Ubuntu) Then you want one of ext_ldap_group_acl, ext_kerberos_ldap_group_acl, or ext_wbinfo_group_acl. The first of those is most generic, so usually the one to use. But your specific situation may or may not require one of the others. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users