Hi Joseph,
Here is a short overview what squid_kerb_ldap does.
1) A user authenticates with either NTLM (username will be NT-DOM\user)
or Kerberos (username will be user_at_KERB-DOM)
2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
authenticated users
3) Uses DNS SRV records to find AD server for KERB-DOM
4) Uses the Kerberos Keytab to authenticate an ldap connection to AD
using SASL/GSSAPI.
5) Searches AD if the user is member of the group given by -s ( The newer
squid_kerb_ldap version has also an -m option to allow recursive search
(e.g. check if a group is a member of another group ....)
Does this help ?
Regards
Markus
"Joseph L. Casale" <jcasale_at_activenetwerx.com> wrote in message
news:CA5A491E9DEFBE4CB777DE97E21575E906BACE89_at_prato.activenetwerx.local...
We have a mixed 2k -> 2k8r2 environment. Currently I am using ntlm_auth and
Samba
for the 2k machines, and squid_kerb_auth/squid_ldap_auth for the newer
machines to
manage access based on AD group membership.
Do I understand correctly that if I use squid_kerb_ldap with the -N I can
provide
group authentication for Kerb and NTLM based clients without an ldap bind
account
for our AD ldap server that does not accept anonymous binds?
Thanks,
jlc
Received on Thu Aug 05 2010 - 19:25:28 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 06 2010 - 12:00:01 MDT