ons 2006-09-13 klockan 13:29 -0400 skrev Terry Dobbs:
> Currently I am using NTLM Authentication (with winbindd) to authenticate
> users accessing the internet. This works pretty good after the initial
> setup, however there are nuances like once the DC is restarted or loses
> connectivity you need to restart the squid server (or winbindd) to get up
> and running again.
File a Samba bug report about that. It's not how it is supposed to be..
But first it may be a good idea to ensure you are running the current
Samba release in case it's an old problem they have already fixed.
Current Samba release is 3.0.23c.
> My question is whether LDAP is a better option?
Depends on your requirements. I think the better option for you would be
to get winbind fixed.
> Will using LDAP require a user to login to access the internet?
Yes. LDAP is only possible with Basic authentication.
> The thing I like about NTLM is it
> using the currently logged on credentials so the users doesn't need to
> login.
Yes.
> I assume that by using LDAP I wont need to reboot the squid server if
> the connection to the DC is temporarily lost?
Most likely not. But you shouldn't need this with Samba winbind either.
But it's worth noting that basic authentication (using any method) has
much less dependency on the AD as Squid can then cache the validity of
the account and does not need to ask the AD on every request (or TCP
connection).
> It would also be nice to
> restrict users based on their AD group which I will be able to do with LDAP.
Thats equally possible when using NTLM for authentication. Using either
the winbind group helper or the LDAP group helper. Group membership
lookup is separate from authentication.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT