[squid-users] SSO (ldap kerberos)

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 13 15:54:48 UTC 2016


On 14/09/2016 3:34 a.m., erdosain9 wrote:
> Hi.
> Thanks.
> With "take" a mean... to control which group a user belongs. So I can apply
> acl, etc to that groups.
> 
> Like this in ldap
> 
> # Active Directory
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "cn=Users,dc=example,dc=lan" -D squid at example.lan -w 123456  -f
> sAMAccountName=%s -v 3 -s sub -h 192.168.1.109
> auth_param basic children 10
> auth_param basic realm SQUID
> auth_param basic credentialsttl 2 hour
> 
> external_acl_type grupos ttl=360 %LOGIN /usr/lib64/squid/ext_ldap_group_acl
> -d -R -b "dc=example,dc=lan" -D squid at example.lan -w 123456 -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=grupos,dc=example,dc=lan))"
> -h 192.168.1.109
> 
> 
> acl ifull  external grupos ifull
> acl icontrol external grupos icontrol
> 
> But, in this way the web browser ask for user... and i want automatically
> take the user that is logging on PC. 

That is a problem between the browser and the OS. Squid and its helpers
only verify what the browser sends them.

There is nothing Squid can do except offering various authentication
schemes in the hope that the browser can get one of those schemes
credentials from the OS.

Amos



More information about the squid-users mailing list