[squid-users] SSO (ldap kerberos)

Tue Sep 13 03:54:52 UTC 2016

On 13/09/2016 5:40 a.m., erdosain9 wrote:
> HI.
> I want Single Sing on...

"Single Sign-On" is the emergent behaviour of multiple pieces of
software all sharing a single password manager - either to locate user
credentials or to perform the authentication on the software behalf.

The type(s) of authentication that can be peformed is limited only by
your chosen password managers abilities:

* ActiveDirectory only does SSO with NTLM or Negotiate/Kerberos credentials.

* Browser password managers allow any HTTP authentication type (and some
others) to be used.

* operating system "wallets" differ by system. Usually restricting to
TLS certificate authentication, though some allow Kerberos or Basic
credentials to be stored as well.

> i want can take groups to assing acl and control
> bandwith, etc.

What clients can do with your proxy is unrelated to whether they perform
SSO or not.

> I need ldap???

"need" no. Squid provides helpers for LDAP or WinBind group lookup.
Worst case you could write your own (or have someone write it for you)
for other types of lookup.

> i know i need kerberos to sso...

No you don't. see above.

> but is necessary ldap for
> take groups??? or with kerberos i can "take" groups??
> 

What do you mean by "take" ?

In english 'take' is a word meaning movement of something from A to B -
where the things existence in A ceases to exist during the process. (B
takes from A).

Looking at what group an user belongs to does not change that group or
their user name. So it cannot be "taken".

> by the way, 
> i probe this
> 
> basic_ldap_auth -R -b "cn=Users,dc=example,dc=lan" -D
> squid-probe at example.lan -w 123456  -f sAMAccountName=%s -v 3 -s sub -h
> 192.168.1.102
> 
> basic_ldap_auth: WARNING, could not bind to binddn 'Strong(er)
> authentication required'
> 
> Why this???

There are two logins:

1) the user login to the proxy. Used to send an HTTP message through the
proxy.

2) the helper login to AD. Used to verify if the login (1) credentials
are valid.

Your AD requires a different (stronger / more secure) login of type (2)
be used by the helper.

Check the AD settings you have for user "squid-probe at example.lan" with
password "123456". That is the account this Squid helper is using to
access AD.

FWIW, the helper can use TLS connections to AD when the -Z option is
configured. Your AD may be wanting that.

> but anyway, i need ldap for take groups???
> 

Many types of group lookup exist;

For Squid running on Windows natively:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ad_group_acl>

For Squid receiving Kerberos or NTLM credentials and checking via LDAP:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html>

For Squid receiving Basic credentials and checking via LDAP:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ldap_group_acl.html>

For Squid receiving LanManager credentials to check against a Windows
NT/2000 domain controller:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_lm_group_acl.html>

For Squid receiving credentials to check against Unix group membership:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_unix_group_acl.html>

For Squid receiving NTLM credentials to check against Samba, AD, or
eDirectory via WinBind service:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_wbinfo_group_acl.html>

> my version of squid is 3.5.20 (on Centos 7)
> AD (samba 4.3.9 on Ubuntu)

Then you want one of ext_ldap_group_acl, ext_kerberos_ldap_group_acl, or
ext_wbinfo_group_acl.

The first of those is most generic, so usually the one to use. But your
specific situation may or may not require one of the others.

Amos