[GRLUG] Squid to Authenticate against Active Directory
Greg Folkert
greg at gregfolkert.net
Thu Apr 10 18:05:39 EDT 2008
On Thu, 2008-04-10 at 14:21 -0400, Joe Vanderstelt wrote:
> Would using squid_ldap_auth be a more direct approch?
Not really, as Micrsoft's Active directory cannot expose everything you
need to do it properly, plus the SSL/TLS certs business end will get
mighty tediuos rather quickly as Microsoft's implementation REALLY
*REALLY* hates self-signed certs.
You might get it to work, but as soon as you update your AD servers (in
Peer mode, right? not Primary/secondary) it'll break anything with
self-signed certs and you'll have to force it to re-accept them.
But, in the long run, you'll have better luck, keeping up with Samba and
Microsoft, vs Microsoft and keeping the LDAP stuff working.
> On Thu, Apr 10, 2008 at 2:13 PM, Greg Folkert <greg at gregfolkert.net> wrote:
> > On Thu, 2008-04-10 at 13:21 -0400, David Vander Zwaag wrote:
> > > I have been asked to setup a Squid server for my organization. I have squid
> > > up and running on a Fedora Core 8 OS. I now need to have the users
> > > authenticate against Active Directory. I have found some articles on the
> > > internet, but nothing has worked yet. Has anyone done this before, and if
> > > so, could someone provide examples. I am running Squid Stable 2.6.
> > >
> > > Thanks
> >
> > More than likely you are running up against the differences in NT_Auth
> > you are finding across the internet and your admins not your AD to act
> > as a credentails checking server, therefore allowing "old style" auth
> > with out the Kerberos ticketing being active.
[snip]
--
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20080410/4609a5f5/attachment.pgp
More information about the grlug
mailing list