[squid-users] LDAP Auth re-prompting for credentials on browser close, need suggestions

Wed Jul 29 21:20:17 UTC 2015

On 30/07/2015 2:21 a.m., Michael Monette wrote:
> Hey,
> 
> I configured the basic_ldap_helper from Squid to my LDAP. Everytime I
> open the browser I am forced to re-auth. All of them except for
> Internet Explorer..But who uses IE anyways? It seems like this is not
> a Squid issue, but a browser thing.
> 

How very .. expected. see end of this email.

> Found this post asking the same question:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Ldap-Authen-AD-how-to-make-authentication-persistent-td3604487.html
> and it
> 
> There were two suggestions that stood out:
> 
> There used to be a "authenticate_ip_shortcircuit_ttl" option in squid
> 2.7 that when authenticated successfully, it would remember the users
> IP for X amount of time and would let you avoid logging in every time
> you reopen your browser. They removed that in later versions
> unfortunately, I guess because someone could take over your IP and
> would be able to authenticate as you(which is not a concern to me, at
> all).

It should.

Theres this thing called NAT you see, which places multiple users behind
a single IP. The first one to login with IP-based auth. Since IPv4 ran
out back in 2003 a number of networks have started using one layer.
Since 2010 when IPv4 stopped being readily available its become more and
more popular to use 2 and even 3 layers of NAT between any two machines.
Just so they can talk.

Then there is this thing called DHCP. I guess this is what you mean by
one user taking over anothers IP. Since the DHCP service allocates any
available IP to user devices on request. If a device goes away its IP
can get re-used immediately by another device. Its uite difficult to get
Squid to be aware of any of those changes and update its auth information.

Then there is the thing called "privacy addressing". In IPv6 its
built-in, with IPv4 its done using DHCP short dynamic assignments. It
means the IP address assigned to user devices is guaranteed to change
frequently and randomly.

Now, if your network can operate without NAT or DHCP, or IPv6. You are
one of the very rare lucky people for whom IP-shortcut based auth
*might* work. But only until you have a malicious user contact the
network and start spoofing users IPs.

IP address based authentication is, well. Dead.

> 
> The other suggestion would be to use an external ACL helper but they
> did not include one or any example in the post.
> 
> Would anyone happen to have an example of a helper that does this or
> some other way I can go about pulling this off?

 "Windows Integrated Authentication" is what IE is using not to have to
ask user for credentials. Some credentials were given when they logged
into the machine, and are used by the browser to send to Squid as needed
(and only as needed). Sometimes called Single-Sign-On or Federated
authentication.

I hear the other browsers need some config to use it. But can't recall
right now what that is.

For Squid it should work with Basic auth. Dont believe the myths that
say Windows auth == NTLM.

Whether *a* popup is seen also depends on whether the browser password
manager is in use. One always need to unlock that manually when opening
a browser. The actual Squid credentials are fetched from there after its
opened. And no that popup is *not* part of HTTP auth.

Amos