[squid-users] SQUID with two authentications methods

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 16 18:10:28 UTC 2018

On 17/01/18 06:23, Colle Christophe wrote:
> Hello,
> I want to configure SQUID with two authentications methods:
> - Kerberos (to do SSO with posts in an ActiveDirectory domain)
> - Basic (Open LDAP directory)
> The LDAP directory contains all the "official" accounts of people, the 
> AD directory contains some accounts (same identifiers as on LDAP) and 
> generic accounts.
> Everything works fine, but I would like to add an extra check: The 
> Kerberos account must also exist in the LDAP directory in order to not 
> allow use of generic accounts.
> I managed to do that with Squid but I get this behavior:
> - Account present in AD + LDAP: OK
> - Account present in AD but not in LDAP: KO
> *Is it possible to force LDAP authentication if "check_ldapĀ " fail ?*


Please note:
  "Squid can not force the clients to choose one over the other."

You would be better to change your design and use an authentication 
helper of your own that performs these complex relationship checks 
instead of trying to warp Squid ACLs into doing things they are not 
supposed to do.

You already have custom ACL helper. Convert that to one which handles 
the auth credentials through the auth_param interface and does both the 
login check and the LDAP check before declaring Kerberos credentials as 
acceptable to Squid.

Also from the order of your squid.conf it is pretty confusing to do the 
login (deny !authenticated) *after* all your check_ldap that rely on 
credentials being valid.


More information about the squid-users mailing list