[GRLUG] Squid to Authenticate against Active Directory

Joe Vanderstelt thisboyiscrazy at gmail.com
Thu Apr 10 14:21:56 EDT 2008


Would using squid_ldap_auth be a more direct approch?

On Thu, Apr 10, 2008 at 2:13 PM, Greg Folkert <greg at gregfolkert.net> wrote:
> On Thu, 2008-04-10 at 13:21 -0400, David Vander Zwaag wrote:
>  > I have been asked to setup a Squid server for my organization.  I have squid
>  > up and running on a Fedora Core 8 OS.  I now need to have the users
>  > authenticate against Active Directory.  I have found some articles on the
>  > internet, but nothing has worked yet.  Has anyone done this before, and if
>  > so, could someone provide examples.  I am running Squid Stable 2.6.
>  >
>  > Thanks
>
>  More than likely you are running up against the differences in NT_Auth
>  you are finding across the internet and your admins not your AD to act
>  as a credentails checking server, therefore allowing "old style" auth
>  with out the Kerberos ticketing being active.
>
>  One way o fix this, your admins need to allow legacy authentication for
>  the machine in question. That machine being the FC machine.
>
>  Another way would be to install SAMBA, join it to the AD and have you
>  users auth against the PAM stuff using Winbind to query AD.
>
>  This means setting up a "proper" Samba server but with out any home
>  directory enumeration or login being allowed. It *MUST* act as only an
>  "auth server" for local request (local coming from Squid).
>
>  Then you must setup squid to use "localhost" PAM authentication.
>
>
>  There are many examples of getting Samba joined to Active Directory and
>  getting PAM to use Winbind as the first source (vs files/nis/ldap/etc).
>
>  There are also examples showing how to get Squid to use PAM.
>
>  If you get PAM to work with Windbind (and hence AD) and then get Squid
>  to use PAM... connect the dots.
>
>  Cheers.
>  --
>  greg at gregfolkert.net
>  PGP key 1024D/B524687C 2003-08-05
>  Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
>  Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
>  Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
>
> _______________________________________________
>  grlug mailing list
>  grlug at grlug.org
>  http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>


More information about the grlug mailing list