On Friday 16 September 2005 06:32, nairb rotsak wrote:
** SNIPPED **
> But I think I read that Squid will use the
> authentication from the browser's header, and not from
> who is authenticated to the box or ip.
>
> Anybody got any good examples of using Squid to
> authenticate to AD (Samba has to be somewhere on the
> network.. right.. can't just be all windows) and
> REALLY do per user coming from a Citrix farm?
We're using Squid on FreeBSD (2.5_STABLE10) with AD authentication for our
Windows Terminal Server users and it does do per-user authentication. If
you're paranoid (like me) we disabled NTLM authentication on the Squid box
and stuck with "BASIC" for two reasons:
1. Users are presented with a "login" box each time they launch a browser.
The login box has a customised "Realm" message that basically says "Be good
boys and girls, play nice and we wont cancel your web access" ;)
2. The user ID that people log into the Terminal Server is different to their
real user account. We have "shared logins" for the terminal server so that
all call center staff, etc get the same desktop etc but we want them to use
their personal login to access the web - so transparent NTLM was a no-go
for us.
All up, we're very pleased with the result and by adding
banner/pop-up/flash-ad filtering and few other access controls to the proxy
(Squid) we've managed a quite secure and fast environment for our terminal
server users. :)
And yes, Squid on Linux/*BSD/*nix uses Samba to provide the AD authentication
layer via winbind. So you'll need to set that up first, then the Squid
install is a piece of cake. The whole process is detailed in the FAQ and on
literally hundreds of websites. If you use SquidNT, it has it's own
AD/Windows-auth "wrapper" that plugs straight in with no fancy config
required beyond an ACL rule or two.
HTH,
James
Received on Thu Sep 15 2005 - 17:20:57 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT