Re: [squid-users] Squid 3.1.x and authentification against AD Windows 2008R2

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 19 Dec 2011 23:16:29 +1300

On 19/12/2011 9:00 p.m., Josef Karliak wrote:
> Hi there,
> We may plan to active authorization for users to the internet
> against Windows AD, running on Windows server 2008R2. I'm running
> squid on opensuse 11.4 64-bit. I've found some how-to, many of them
> solve it by ntlm-auth (not in opensuse, but there is a similar named
> "ntlm_smb_lm_auth" for squid i suppose

Nope. ntlm_smb_lm_auth does does the ancient LM-over-SMB protocol (using
HTTP "NTLM" auth scheme) for with Windows98/CE/ME and similar older
software and considered dangerous to use in todays network environment.
NTLM is best done using the ntlm_auth helper from Samba project. An
even better alternative if you can use it is Kerberos authentication,
which is supported by WindowsXP SP2 and later software.

> ). Another choice is over ldap.
> What is better ? What are your expericiences or recomentations ? And
> - please - some step-by-step how-to ...

LDAP is just the interface to the credentials database. It can be used
with most of the auth schemes in HTTP.

The recommendation in this area is to go with whichever AD interface you
are most familiar with and can implement securely. Pick the auth
scheme(s) to suit your needs, then find which helper(s) plug the two
together.

http://wiki.squid-cache.org/Features/Authentication has the overview of
how auth works for Squid and link for more info and the config examples.

Amos
Received on Mon Dec 19 2011 - 10:16:37 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 19 2011 - 12:00:03 MST