[GRLUG] Squid to Authenticate against Active Directory
Greg Folkert
greg at gregfolkert.net
Thu Apr 10 14:13:19 EDT 2008
On Thu, 2008-04-10 at 13:21 -0400, David Vander Zwaag wrote:
> I have been asked to setup a Squid server for my organization. I have squid
> up and running on a Fedora Core 8 OS. I now need to have the users
> authenticate against Active Directory. I have found some articles on the
> internet, but nothing has worked yet. Has anyone done this before, and if
> so, could someone provide examples. I am running Squid Stable 2.6.
>
> Thanks
More than likely you are running up against the differences in NT_Auth
you are finding across the internet and your admins not your AD to act
as a credentails checking server, therefore allowing "old style" auth
with out the Kerberos ticketing being active.
One way o fix this, your admins need to allow legacy authentication for
the machine in question. That machine being the FC machine.
Another way would be to install SAMBA, join it to the AD and have you
users auth against the PAM stuff using Winbind to query AD.
This means setting up a "proper" Samba server but with out any home
directory enumeration or login being allowed. It *MUST* act as only an
"auth server" for local request (local coming from Squid).
Then you must setup squid to use "localhost" PAM authentication.
There are many examples of getting Samba joined to Active Directory and
getting PAM to use Winbind as the first source (vs files/nis/ldap/etc).
There are also examples showing how to get Squid to use PAM.
If you get PAM to work with Windbind (and hence AD) and then get Squid
to use PAM... connect the dots.
Cheers.
--
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20080410/5cf6ad08/attachment.pgp
More information about the grlug
mailing list