Re: [squid-users] Windows auto-login helper application?
tis 2009-09-22 klockan 00:15 -0500 skrev Dale Mahalko: * doesn't require the users to remember a name and password to use the proxy, and does an auto-login so I can identify the user in the proxy access logs * uses password encryption to prevent sniffing of passwords on the network For the above you need NTLM or kerberos. basic auth can't fulfill any of the above two.. digest auth only fulfills the second with most browsers. Haven't seen them allowing the proxy password to be saved in the browser. but on the positive side the Squid digest helper do have eDirectory integration making it possible to log in to the proxy using the same password as in eDirectory/NDS. At this point I would be happy with sticking a small program in each user's Windows roaming profile account that loads when they login and does the authentication for them, whenever they try to use the proxy. That's doable. And maybe doesn¨t even need any extra program, but it will be done by tying the user identity to the IP of his station. If your NDS/eDir server already keep track of who is logged on at what client IP then all you need is to query this via an external acl, returning the username to Squid. There is apparently no formal name for doing this sort of user-login though so I can't search for examples of anyone doing it since I don't know what to call it. Maybe: Windows helper application squid authentication? Such out-of-band methods with Squid is not authentication, just identification. Regards Henrik
Re: [squid-users] Windows auto-login helper application?
Dale Mahalko wrote: I need some help with setting up a fairly secure, easy to use method of authenticating users of Windows XP with squid, that: * doesn't require the users to remember a name and password to use the proxy, and does an auto-login so I can identify the user in the proxy access logs * uses password encryption to prevent sniffing of passwords on the network It does not look like NTLM authentication will work because apparently that requires Windows to be joined to a domain before Windows will use that method. None of the computers are in a domain, and they can't be since this is a Novell network. For the life o' me, I cannot figure out how to get the LDAP-auth to connect to do a Novell eDir/NDS LDAP user lookup. Most searched discussions regarding this are incomplete, usually ending with someone saying Oh I figured it out myself and they never post what they did. I know our LDAP server works since I can login to it using a generic LDAP browser. At this point I would be happy with sticking a small program in each user's Windows roaming profile account that loads when they login and does the authentication for them, whenever they try to use the proxy. There is apparently no formal name for doing this sort of user-login though so I can't search for examples of anyone doing it since I don't know what to call it. Maybe: Windows helper application squid authentication? , Actually this is how Novell's aging BorderManager proxy does it, using a program called the Client Trust that sits in the taskbar and talks to the proxy to authorize the user. It interfaces with the Novell client to get the user's credentials. I am not expecting or looking for anything this extravagant that also can talk to the Novell Client. I would be fine with a taskbar/background helper that just uses a simple hashed config file in the user's account to authenticate them with squid. (BorderManager is being retired by Novell next year and so I can't expect or rely on the Client Trust authenticator to continue to be available. And besides it is made only for BorderManager, and doesn't work with other proxies like squid..) , Dale Mahalko We have a generic LDAP how-to which may or may not be useful to you... http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap Recent squid releases bundle an eDirectory helper for doing secure encrypted digest authentication. That auth method is also growing in its support from browsers etc. Hopefully someone with a bit more experience in these auth methods will speak up. This should give you a place to start seraching anyway. Good luck. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
[squid-users] Windows auto-login helper application?
I need some help with setting up a fairly secure, easy to use method of authenticating users of Windows XP with squid, that: * doesn't require the users to remember a name and password to use the proxy, and does an auto-login so I can identify the user in the proxy access logs * uses password encryption to prevent sniffing of passwords on the network It does not look like NTLM authentication will work because apparently that requires Windows to be joined to a domain before Windows will use that method. None of the computers are in a domain, and they can't be since this is a Novell network. For the life o' me, I cannot figure out how to get the LDAP-auth to connect to do a Novell eDir/NDS LDAP user lookup. Most searched discussions regarding this are incomplete, usually ending with someone saying Oh I figured it out myself and they never post what they did. I know our LDAP server works since I can login to it using a generic LDAP browser. , At this point I would be happy with sticking a small program in each user's Windows roaming profile account that loads when they login and does the authentication for them, whenever they try to use the proxy. There is apparently no formal name for doing this sort of user-login though so I can't search for examples of anyone doing it since I don't know what to call it. Maybe: Windows helper application squid authentication? , Actually this is how Novell's aging BorderManager proxy does it, using a program called the Client Trust that sits in the taskbar and talks to the proxy to authorize the user. It interfaces with the Novell client to get the user's credentials. I am not expecting or looking for anything this extravagant that also can talk to the Novell Client. I would be fine with a taskbar/background helper that just uses a simple hashed config file in the user's account to authenticate them with squid. (BorderManager is being retired by Novell next year and so I can't expect or rely on the Client Trust authenticator to continue to be available. And besides it is made only for BorderManager, and doesn't work with other proxies like squid..) , Dale Mahalko
