On 10/08/2012 11:55 p.m., Rickifer Barros wrote:
> Hi Eugene,
>
> yes, that's true, but this only works together the program
> squid_kerb_auth. So this require my computer inside a domain. I need
> that it works with a popup to type username and password.
>
> I tried:
> - to use squid_kerb_auth with the parameter "auth_param basic program"
> (DOESN'T WORK)
Taking Basic auth scheme and sending its credentials format to Kerbros
scheme helper -> FAIL.
> - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search.
> It authenticates but doesn't search. (DOESN'T WORK)
Taking a Basic auth format username and looking up Kerberos groups with it.
could work, but Basic auth usernames do not normally have the @DOMAIN
syntax part. You will need to check users are logging in with that and
its not being stripped away anywhere.
> - to use "auth_param negotiate program squid_kerb_auth" with
> "squid_kerb_ldap" to search, with my computer inside a domain. (IT
> WORKS!) But without username/password popup.
Kerberos is designed to operate without a popup. Move the computer
outside the domain and is might work only with popups. Or it might not.
>
> Is there some way to join "Authentication via Popup" + "Recursive Query"?
They are completely separate operations.
external_acl_type (group lookup) does authorization. Taking the username
and checking groups. username can come from any authentication type, or
even be non-authenticated. The only thing that matters is whether the
username presented by Squid to the helper is of a format which matches
somethign in the groups database.
Amos
Received on Fri Aug 10 2012 - 12:18:07 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT