Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 18 Sep 2010 01:28:55 +1200

On 18/09/10 00:14, guest01 wrote:
> Hi,
>
> I am stuck with a similar problem, has there been any solution for
> this topic? (Btw, I am running Squid 3.1.8 on RHEL5.5)
>
> We are trying to achieve following:
> CompanyA (us): own Active Directory domain and we are hosting the
> squid web server (central forward proxy for internet access with ICAP
> capabilities)
> CompanyB: completely independent Active Directory Domain
> (CompanyC: might use our squid soon)
> (CompanyD: might use our squid soon)
>
> We have one shared squid server which should authenticate CompanyA
> with NTLM (or kerberos) and CompanyB with LDAP (they insist on LDAP, I
> don't know why, but I suppose without a domain trust I could
> authenticate only one company with NTLM or kerberos and would have
> troubles, right?)
> NTLM is the prefered authentication method and if a Client of CompanyA
> wants to lookup something in the Internet, he will be authenticated
> with NTLM.
> If CompanyB wants to lookup something, the Browser submits NTLM data
> (valid for their domain, not ours) which are not valid for our domain
> and in theory, the browser should try Basic-Authentication (e.g. LDAP)
> next, but that does not happen. It still tries NTLM (Firefox as well
> as IE8 on Windows 7). For further infos, look at [1],[2].
>
> Unfortunately, I don't have much options:
> - disable ntml authentication in IE8 for CompanyB and then IE only
> tries LDAP which works
> - authenticate CompanyA by IP and disable NTML authentication (= our
> current setup)
>
> Of course it would be possible to authenticate everybody by LDAP (we
> are using a OpenLDAP metadirectory which talks to the ADs), but it is
> only a Basic auth and a very bad idea
>
> Has anybody any additional idea? How do you guys handle authentication
> for multiple independent customers?
>
> In my opinion, this is a client problem, unfortunately IE and even FF
> are too dumb. From a functional perspective of view, it should be
> standard to try the weaker (LDAP) authentication if the stronger
> (NTLM) does not work (from a security perspective of view, I am glad
> that this does not seem to work ;-)). Is there any option for the
> squid to track authentication and only offer basic authentication if
> ntlm failed [3]? Or anything similar?
>
> I would appreciate any response!
> best regards
> Peter

Squid does not currently offer any way to selectively pick the auth
methods to advertise. There are a few possible designs and someone was
working on it a while back.

Stripping away auth methods which have failed is not possible. Due to
the problems of: How do you deal with a user typo'd in their password?
or who recently changed password but the browser still sends the old one
first?.

The workaround that comes to mind is to run a "shell" squid instance for
each client or at lest for each primary auth type which only does auth
then funnels requests through to some parent proxy for handling.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Received on Fri Sep 17 2010 - 13:29:01 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 18 2010 - 12:00:04 MDT