Re: [squid-users] Squid auto-ldap (AD) authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 04 Dec 2009 22:16:15 +1300

Michael Mansour wrote:
> Hi,
>
> I've gone through the instructions here:
>
> http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory
>
>
> which allowed me to setup Windows AD authentication from a Squid
> proxy running on Linux.
>
> Works fine, but what I want to do is not have to have people be
> prompted for a username and password from within their browser (and
> then have Squid authenticate that against AD).
>
> That is, can Squid figure out the username and password from the
> machine setup to access the proxy, and auto-authenticate that
> username and password with AD, and if successful allow them use of
> the proxy?

Lets get this clear:

   You want Squid to hack its way into the connecting users private
machine, unlock their security settings, pull out whatever ones apply to
the proxy, and do it without alerting the user about what's happening?

Note; people will only be made aware of the login request if the browser
does not know what credentials to send to a challenging proxy.

This happens when:
  a) the browser has no knowledge of the login to be sent the challenger
  b) a previous set of credentials the browser had on record and sent
have failed.
  c) the browser has a secure credentials storage, which has not been
unlocked by the user. causing (a) as a side-effect.

>
> Note that the way this is setup currently:
>
> * users don't have internet access unless they go through Squid
>
> * Windows AD holds accounts and groups
>
> * groups exist for "full internet access", "limited internet access",
> "blocked sites"
>
> * Squid uses the LDAP helper to query the username and group to
> determine what access the user has to the internet
>
> * Squid prompts for a username and password
>
> * ACL's determine what regex files to query for allowed sites,
> blocked sites etc
>
> What I need to do is try and avoid the Squid login/password window
> and just allow the Windows login people use to login to Windows (and
> their AD accounts) for Squid to auto-authenticate.
>
> Can this be done? if so, any URL's or how-to's anyone knows about?
>

What you want is not possible with regular authentication.

There are two security concepts here that you need to be clear on:

   authorization - the information that source X is allowed/denied to
connect to destination Y

  authentication - the information that source X really is source X.

The Squid ACL and access controls perform the _authorization_ part of
the setup.

The authentication "challenge-response" as it is called is fundamental
to how secure authentication works. Authentication credentials are just
one set of details Squid uses to make decisions.

  When the browser is explicitly configured (manually or via WPAD/PAC)
with proxy settings most of them have the capability of responding with
either pre-configured login or secure encrypted token which the proxy
can check against some third-party backend. This hides the fact of
challenge from the user initially but if that fails a re-challenge
causes things like the visible popups.

What you are asking is to find out who the user is in a situation where
the browser has sent no such username/password or token. And you do not
want Squid to challenge for them. This places major restraints on what
can be done.

The only thing left is something called side-band _authorization_. Where
details from the request (IP is the most commonly abused) are sent to
some third-party source in hopes that it will be able to identify the
user. It's done by external_acl_type if the regular ACL are not enough.

But consider carefully before you replace security;
  what is going to happen if the side-band fails?
  how certain are you that the details chosen for detection are reliable?
  what happens when two people send the same details? at once? one after
the other?
  is it worth the risk?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15
Received on Fri Dec 04 2009 - 09:16:37 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST