LDAP Passthrough Authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP Passthrough Authentication

Justin Doles
I'm curious if there is anyway of doing passthrough authentication via Squid?  I'm using 2.6.STABLE13-20070524 right now.
 
What I'm asking is that instead of the prompt that pops up for a user to enter their user name & password I would like to pass the credentials from OS.
 
My initial thought is that there's likely not a solution at hand to do this.  I know with Microsoft's ISA server you can pass credentials, but that's do to the fact that it uses IIS in the background.  I was also able to do this with Novell's Bordermanager product, but it required the client to run  a special app (called ClientTrust) in order to pass the credentials.
 
So while I'm at it, I was thinking that maybe an alternative would be to redirect the users to a web page where they can enter their credentials and then forward the credentials to Squid somehow.  I've written web based LDAP apps before so I know how to do that portion, but I'm not sure how I could pass this on to Squid.  But the gears are turning in my head I type.... ;)
 
Sorry for the long email....  Maybe some of the gurus on this list can shed some light on this for me.

Thanks,

Justin Doles
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

Reply | Threaded
Open this post in threaded view
|

Re: LDAP Passthrough Authentication

Henrik Nordström
ons 2007-06-06 klockan 11:36 -0400 skrev Justin Doles:
 
> What I'm asking is that instead of the prompt that pops up for a user
> to enter their user name & password I would like to pass the
> credentials from OS.

For that you need to use the NTLM or Negotiate authentication schemes.
 
> My initial thought is that there's likely not a solution at hand to do
> this.  I know with Microsoft's ISA server you can pass credentials,
> but that's do to the fact that it uses IIS in the background.

Squid has this same capability.

Best way to configure it is by using Samba to talk to the Windows domain
controllers.

http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2


Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Passthrough Authentication

Justin Doles
In reply to this post by Justin Doles
>>> Henrik Nordstrom <[hidden email]> 06/06/2007 6:00 PM >>>
ons 2007-06-06 klockan 11:36 -0400 skrev Justin Doles:

> What I'm asking is that instead of the prompt that pops up for a user
> to enter their user name & password I would like to pass the
> credentials from OS.

> For that you need to use the NTLM or Negotiate authentication schemes.

> My initial thought is that there's likely not a solution at hand to do
> this.  I know with Microsoft's ISA server you can pass credentials,
> but that's do to the fact that it uses IIS in the background.

> Squid has this same capability.

> Best way to configure it is by using Samba to talk to the Windows domain
controllers.

> http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2 
 
Thanks for the pointers.  I should have explained a bit more about what I'm attempting though.  All of our users are stored in Novell's eDirectory.  I can use LDAP to authenticate to that db.  I've gotten that to work with Squid.  I'm just trying to find a way to avoid the popup prompt for authentication.  As far as I know, there isn't a way to do that with Squid.  Correct?  I could be wrong on that since I'm still new to this.
 
So if I can't pass the credentials like I can with NTLM, my other thought was to have them redirected to a login web page and then pass those credentials onto Squid.  This way would be nice in that I could post the policies on that page as a reminder to the users.  This sounds doable to me.  But as I said above, I'm still new to Squid.
 
Again thanks for the tips.  This is by far one of the most active and helpful mailing lists I subscribe to.  :)
 
Thanks,
 
Justin Doles
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

Reply | Threaded
Open this post in threaded view
|

Re: LDAP Passthrough Authentication

Henrik Nordström
tor 2007-06-07 klockan 08:46 -0400 skrev Justin Doles:

> Thanks for the pointers.  I should have explained a bit more about
> what I'm attempting though.  All of our users are stored in Novell's
> eDirectory.  I can use LDAP to authenticate to that db.  I've gotten
> that to work with Squid.  I'm just trying to find a way to avoid the
> popup prompt for authentication.  As far as I know, there isn't a way
> to do that with Squid.  Correct?  I could be wrong on that since I'm
> still new to this.

It's not a way to do that with the commony available browsers.

But if your client stations have ident servers, or you can install
something similar which can provide the identity of the currently logged
in user then it's fully possible to make Squid use this information.

> So if I can't pass the credentials like I can with NTLM, my other
> thought was to have them redirected to a login web page and then pass
> those credentials onto Squid.  This way would be nice in that I could
> post the policies on that page as a reminder to the users.  This
> sounds doable to me.  But as I said above, I'm still new to Squid.

Doable. The information would in such case plug in to Squid via the
external acl interface, and requires a shared database of some kind to
store the session..

Regards
Henrik

signature.asc (316 bytes) Download Attachment