Re: [squid-users] Authentication/Authorization Challenge

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 07 Jul 2011 00:39:16 +1200

On 06/07/11 23:19, Robert Velter wrote:
> Hi all,
>
> i have a (nice?) squid authentication/authorization challenge.
>
> I already have a working authentication configuration using negiotiate
> with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
> using an external_acl_type with squid_ldap_group.
>
> Now i want that users can authenticate/authorize using basic auth when
> the squid_ldap_group check fails. Resulting in the following logic:
>
> grant access if ((logged in windowsuser is in group internet) or
> (given credentials authenticate for group internet))
>
> As far as i understand i cant solve this with auth_param modifications
> because the external_acl ldap_group already gets a validated username
> from kerberos/ntlm (all clients are microsoft windows). I think i need
> an additional external_acl helper with integrated basic auth. Right?
>
> Is there any external_acl helper out there with the needed
> functionality?
>
> Regards, Robert
>

That will probably die horribly. NTLM & Negotiate both hijack HTTP to
try and authenticate the TCP-level. Once credentials are accepted a
change in auth requires the TCP link itself to be terminated.

You can cause a re-auth challenge, but Squid will still offer the same
set of Negotaiate,NTLM,Basic as available. The sane browsers should move
on to the next available choice they have not tried (most agents are not
that sane though).

Details of how to re-auth are in the FAQ:
 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9
Received on Wed Jul 06 2011 - 12:39:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 06 2011 - 12:00:01 MDT