<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<font face="Arial">Hello<br>
<br>
Thank you but this is not the objective and this is the reason for
needing the "fake".<br>
Access to Kerberos or NTLM ports of the AD, is not possible. An
LDAP server would be present with accounts replication.<br>
The idea is to do a silent authentication without joining the AD <br>
We did not need the double user/password credential, only the user
sent by the browser is required<br>
<br>
If the user has an Active Directory session then his account is
automatically sent without him having to take any action.<br>
If the user is in a workgroup then the account sent will not be in
the LDAP database and will be rejected.<br>
I don't need to argue about the security value of this method. It
saves us from setting up a gas factory to make a kind of HotSpot<br>
</font><br>
<div class="moz-cite-prefix">Le 11/02/2022 à 05:55, Dieter Bloms a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:20220211045539.3q4xzr6bqbunhaxc@bloms.de">
<pre class="moz-quote-pre" wrap="">Hello David,
for me it looks like you want to use kerberos authentication.
With kerberos authentication the user don't have to authenticate against
the proxy. The authentication is done in the background.
Mayb this link will help:
<a class="moz-txt-link-freetext" href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a>
On Thu, Feb 10, David Touzeau wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi
What we are looking for is to retrieve a "user" token without having to ask
anything from the user.
That's why we're looking at Active Directory credentials.
Once the user account is retrieved, a helper would be in charge of checking
if the user exists in the LDAP database.
This is to avoid any connection to an Active Directory
Maybe this is impossible
Le 10/02/2022 à 05:03, Amos Jeffries a écrit :
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 10/02/22 01:43, David Touzeau wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi
I would like to sponsor the improvement of ntlm_fake_auth to support
new protocols
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)
protocols should already be supported as well as currently possible.
NTLM is formally discontinued by MS and *very* inefficient.
NP: NTLMv2 with encryption does not *work* because that encryption step
requires secret keys the proxy is not able to know.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">or go further produce a new negotiate_kerberos_auth_fake
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
With current Squid this helper only needs to produce an "OK" response
regardless of the input. The basic_auth_fake does that.
Amos
_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<br>
</body>
</html>