On 19/12/2011 9:00 p.m., Josef Karliak wrote:
Hi there,
We may plan to active authorization for users to the internet
against Windows AD, running on Windows server 2008R2. I'm running
squid on opensuse 11.4 64-bit. I've found some how-to, many of them
solve it by ntlm-auth (not in opensuse, but there is a similar named
"ntlm_smb_lm_auth" for squid i suppose
Nope. ntlm_smb_lm_auth does does the ancient LM-over-SMB protocol (using
HTTP "NTLM" auth scheme) for with Windows98/CE/ME and similar older
software and considered dangerous to use in todays network environment.
NTLM is best done using the ntlm_auth helper from Samba project. An
even better alternative if you can use it is Kerberos authentication,
which is supported by WindowsXP SP2 and later software.
). Another choice is over ldap.
What is better ? What are your expericiences or recomentations ? And
- please - some step-by-step how-to ...
LDAP is just the interface to the credentials database. It can be used
with most of the auth schemes in HTTP.
The recommendation in this area is to go with whichever AD interface you
are most familiar with and can implement securely. Pick the auth
scheme(s) to suit your needs, then find which helper(s) plug the two
together.
http://wiki.squid-cache.org/Features/Authentication has the overview of
how auth works for Squid and link for more info and the config examples.
Amos
