Re: [squid-users] Squid Authentication + ldap/samba
fre 2007-05-11 klockan 11:30 +0100 skrev Duarte Lázaro: > But in NTLM i cannot ( i think ) restrict a user by an attribute, if > the user gets authenticated he has "net". You can. But it's two different things. Don't mix up authentication and authorization. The purpose of authentication is solely to verify the identity of the user. You then use this identity in authorization to grant or deny access. authentication is done by auth_param settings, and triggered by acls based on the user name. authorization is done by http_access, by using acls matching users and what they are allowed to do. > Basic/Digest (squid_ldap_auth/group) are more flexible, because u can > use a filter and restrict by attribute.The problem is that browsers are > always prompting for password allthought the password can be stored. You can still use squid_ldap_group with NTLM if you run a Windows Active Directory. Digest is a bit troublesome in that you can not use a user directory backend, and must have a local digest password file on the proxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid Authentication + ldap/samba
tor 2007-05-10 klockan 12:09 +0100 skrev Duarte Lázaro: > i really wanna is to authenticated on ldap, but the browser not to show > a pop-up, > it's possible? samba ( maybe ntlm ?) This depends entirely on browser support and which scheme you are using. Few if browsers support fully saved proxy passwords when using the Basic or Digest authentication schemes. Most asks the user once before sending the password to the proxy. Most browsers supporting NTLM authentication do this automatically on Windows stations logged on to a domain, but using NTLM requires a NTLM capable authentication backend such as Samba connected to the Windows domain, LDAP can not be used. But you can use LDAP to check group membership using squid_ldap_group even if using NTLM via Samba for authentication. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid Authentication + ldap/samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/10/2007 08:44 AM, Duarte Lázaro wrote: > Hi, Sergey > > I know that, but for example in IE ou Firefox the prompt > still open , although the password is saved, my question > is if there is some way that the prompt ( although the > password is save ) is not shown. Yes, there is. A single sign-on solution, like Kerberos, *but*, not sure about how squid will integrate that, AFAIK thru ntlm auth. Searching for Single Sign-On (also know as SSO) you will find some good information and posts on the mail list about the subject. Good luck and don't forge to add more information on this thread if you find something interesting. :-) Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQxpHCj65ZxU4gPQRAmF6AJ4xCeiN9llH+kCD5d6UrMDs7hknGQCgxUhd F0390uTpA7JcO+y29GvkN/s= =1H9E -END PGP SIGNATURE-
Re: [squid-users] Squid Authentication + ldap/samba
Hi, Sergey I know that, but for example in IE ou Firefox the prompt still open , although the password is saved, my question is if there is some way that the prompt ( although the password is save ) is not shown. Dny way thanks for the tips. Sergey A. Kobzar wrote: Hello Duarte, Many browsers have option to save username and passwd ;) Thursday, May 10, 2007, 2:30:40 PM, you wrote: Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "ou=People,dc=test,dc=com" ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an "squid_ldap_auth" but a login prompt comes, every time. trying now with "squid_ldap_group", but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g)(homePhone=1))" -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b "dc=pnp,dc=com" "(uid=duarte)" result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g))" -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re: [squid-users] Squid Authentication + ldap/samba
Ok, i think i´m not explaining so good. I have allready squid authentication, what i need is that the browser does not show the prompt just get the credencials whitout prompting the user, for example me user is part of a domain só thé get the user from the computer and the user would not have the need to type it, is there any way ? Sergey A. Kobzar wrote: Hello Duarte, Thursday, May 10, 2007, 2:09:05 PM, you wrote: Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) I gave you working configuration. Just forgot about -v 3 option. :) what does the [skipped], does ? Line from standard Squid's config. Show tail -f /path/to/squid.conf tail -f /path/to/slapd.conf ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "ou=People,dc=test,dc=com" ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an "squid_ldap_auth" but a login prompt comes, every time. trying now with "squid_ldap_group", but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g)(homePhone=1))" -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b "dc=pnp,dc=com" "(uid=duarte)" result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g))" -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re: [squid-users] Squid Authentication + ldap/samba
Hi, i really wanna is to authenticated on ldap, but the browser not to show a pop-up, it's possible? samba ( maybe ntlm ?) what does the [skipped], does ? thanks Sergey A. Kobzar wrote: Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "ou=People,dc=test,dc=com" ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: Hi there I´m trying to set up squid whit authentication, but i would need it asking the user the credencials. Allrdy set up an "squid_ldap_auth" but a login prompt comes, every time. trying now with "squid_ldap_group", but still nothing, from the Unix prompt i can authenticate a user whit some filter. where some info : Squid.conf --- *external_acl_type InetGroup %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g)(homePhone=1))" -v 3 acl InetAccess external InetGroup 513 http_access allow InetAccess --- *Ldap info - ldapsearch -vLx -b "dc=pnp,dc=com" "(uid=duarte)" result : # duarte, Users, pnp.com dn: uid=duarte,ou=Users,dc=pnp,dc=com objectClass: top objectClass: person ... sn: duarte givenName: duarte uid: duarte uidNumber: 1002 gidNumber: 513 ... # numResponses: 2 # numEntries: 1 -- From the prompt on Unix : /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f "(&(uid=%u)(gidNumber=%g))" -v 3 duarte 513 OK so my question is.. whit the browser not authenticating whit squid ? Thanks in advance.
Re: [squid-users] Squid Authentication + ldap/samba
Hello Duarte, If you want authenticate users from LDAP only, this configuration is enough: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "ou=People,dc=test,dc=com" ldap.test.com auth_param basic children 5 auth_param basic realm Squid proxy-caching web server [skipped] acl ldap_users proxy_auth REQUIRED [skipped] http_access allow ldap_users Thursday, May 10, 2007, 1:17:34 PM, you wrote: > Hi there > I´m trying to set up squid whit authentication, but i would need it > asking the user the credencials. > Allrdy set up an "squid_ldap_auth" but a login prompt comes, every time. > trying now with "squid_ldap_group", but still nothing, from the Unix > prompt i can authenticate a user whit some filter. where some info : > Squid.conf > --- > *external_acl_type InetGroup %LOGIN > /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f > "(&(uid=%u)(gidNumber=%g)(homePhone=1))" -v 3 > acl InetAccess external InetGroup 513 > http_access allow InetAccess > --- > *Ldap info > - > ldapsearch -vLx -b "dc=pnp,dc=com" "(uid=duarte)" > result : > # duarte, Users, pnp.com > dn: uid=duarte,ou=Users,dc=pnp,dc=com > objectClass: top > objectClass: person > ... > sn: duarte > givenName: duarte > uid: duarte > uidNumber: 1002 > gidNumber: 513 > ... > # numResponses: 2 > # numEntries: 1 > -- > From the prompt on Unix : > /usr/local/libexec/squid/squid_ldap_group -R -b "dc=pnp,dc=com" -f > "(&(uid=%u)(gidNumber=%g))" -v 3 > duarte 513 > OK > so my question is.. whit the browser not authenticating whit squid ? > Thanks in advance. -- Best regards, Sergeymailto:[EMAIL PROTECTED]