Search squid archive

Re: Squid authentication objects by source ip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/04/2023 11:14 pm, hans.peter.wurst2000 wrote:
Hello,

i have currently a problem to setup squid authentication with kerberos. The problem is not the authentication itself. It works fine, but only for one AD-Domain. I have 6 AD Domains that have to authenticate trough this squid-proxy. In the documentation "https://wiki.squid-cache.org/Features/Authentication"; i have seen that my problem could be solved by using full plain authentication with ldap. And that is the current way i will solve this. But for future squid releases would it be possible to change the Proxy authentication function to filter authentication methods by source ip.


I am afraid you have misunderstood how HTTP authentication works in Squid.

Squid is just middleware between the client and the authenticator system. All it does is tell the client which **types** (aka "scheme") of authentication are acceptable, and passes the clients credentials to a helper that can handle how that scheme encodes and validates credentials.

Deciding which auth database to check credentials against is the role of external helpers....


Example:

|auth_param 1 negotiate program /usr/sbin/squid_kerb_auth -k /etc/squid/HTTP_Domain1.keytab auth_param 1 negotiate children 10 auth_param 1 negotiate keep_alive on| |auth_param 2 negotiate program /usr/sbin/squid_kerb_auth -k /etc/squid/HTTP_Domain2.keytab auth_param 2 negotiate children 10 auth_param 2 negotiate keep_alive on|

To use completely separate keytabs you should write a wrapper script that takes the credentials + IP from Squid and selects which squid_kerb_auth (or better negotiate_kerberos_auth) helper to pass them to.

squid.conf looks like this:

|auth_param negotiate program /path/to/script auth_param negotiate key_extras %>a||auth_param negotiate children 10|


What the script receives is documented here:
<https://wiki.squid-cache.org/Features/NegotiateAuthentication#input-line-received-from-squid>

It needs to decide which kerberos helper to pass the request to, then relay the actual helpers response back to Squid.


Filter by LDAP Groups should also be possible like before.


Check how your LDAP helper is configured. Likely it also needs to also distinguish which keytab to use to fine details about the user such as group(s).


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux