Re: [squid-users] Squid + Samba4

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 19 Jul 2013 23:18:09 +1200

On 19/07/2013 4:27 p.m., Ricardo Klein wrote:
> No... I havent played with Samba4 yet... But, I was thinking in a
> solution that I can use WITH NTLM (so user dont need to type
> passwords)

It is a marketing myth that NTLM is required to prevents users needing
to type passwords.

Users need to type passwords in whenever the auth system used by Browser
cannot locate existing password typed earlier.
   - it is a feature of *Windows* which enables the Browser to access
users current login details and send those to the remote server.
     It can as easily send those credentials as Basic auth or any other
mechanism as via NTLM.
- Modern browsers contain spassword managers which store website and
proxy passwords indefinitely. If used properly the end users only need
to type a master password once when they start the browser and it
supplies the credentials automatically for anywhere they visit.
- Some browsers require a confirmation OK click from the user before
sending found credentials to remote sites - but that should be happening
with NTLM ones as well.

Single-sign-on is a browser feature.

> and prepared for networks that does not have an Active
> Directory (So, I can sell both and earn more $$$ hehe).

Without an AD to verify NTLM tokens. Why do they need to use NTLM?
You should be tayloring the authentication scheme to what the network
infrastructure can verify (writing a Squid helper if necessary). Or
rolling a good new authentication system into the network if there was none.

> But I think that the LDAP replica should be a easy path then implement
> Samba4 (as I have never played with it).

LDAP is an access protocol, like HTTP. It usually takes Basic auth
credentials and delivers them to the auth backend system, AFAIK.

Amos
Received on Fri Jul 19 2013 - 11:18:25 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 19 2013 - 12:00:24 MDT