Re: [squid-users] Squid_ldap_group

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 04 Apr 2003 16:16:03 +0200

fre 2003-04-04 klockan 15.20 skrev Craig Home:
> Henrik,
>
> Thanks for the response - not sure if I can use NTLM in Active directory
> native mode hence why I was looking down the LDAP route.

It depends on some other flag.. I don't remember off hand what. Guido
wrote a good explanation a month or two ago on squid-users.

> Out of interest, just for myself - say I wasn't running Active directory and
> had a different LDAP server - would I still need to authenticate when
> accessing any internet resources or is it possible to get fully integrated
> ldap access with something like Mozilla on Linux?

You would need to manually authenticate.

The issue is a trust issue. Your desktop (including browser) does not
automatically trust the proxy with your personal login and password.

Maybe some day in future when Kerberos or another distributed trust
login system becomes commonly used there will be a standard in how to
forward user credentials in a secure manner. Until then we have to live
with multiple logins I am afraid. As of today only the Microsoft
Integrated Login schemes (NTLM and NEGOTIATE) provides such
functionality, none of which is documented by Microsoft much beyond "a
binary blob of unspecified data is exchanged between the Microsoft
client and the Microsoft Server", and both of which fits extremely bad
in the context of HTTP to the point that they even violate fundamental
aspects the HTTP specification and breaks down with standards compliant
proxies.

Regards
Henrik

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
PayPal donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org&cn=Comment
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri Apr 04 2003 - 07:16:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:41 MST