Re: [squid-users] Problems with ldap user authentication on a Win2k3 server using squid_ldap_auth module from Guido Serassio on 2006-04-22 (squid-users)

From: Guido Serassio <guido.serassio@dont-contact.us>
Date: Sat, 22 Apr 2006 21:54:23 +0200

Hi,

At 20.46 22/04/2006, Leonardo Rodrigues wrote:

>Big thanks for the quick reply Henrik :)
>
>Today I tried again with some different options on the windows 2003
>side, and found out that I *have* to put the hostname of the w2k3
>server on the list of computers that the account is allowed to log in.
>That solved the problem described on the earlier email.
>
>BUT, that opens a security breach on my system :(
>If the user is granted access to my w2k3 server, he has the rights to
>log in, but gpo policies would still apply and save my day. I think I
>can live with that, by enforcing even more restrictions on the users
>account policies.
>
>So, on the user's account list of allowed machines to log in, I'll
>have to enter the hostname of the w2k3 server, AND the hostname of the
>squid server. And of course, I'll have to put the hostnames of the
>machine the user will be physically allowed to use :)
>
>In brief, without the squid server hostname, the user couldn't access
>the squid cache. And with it, but without the 2k3 hostname, the user
>could access the cache, but if he typed the wrong password, the
>account would be blocked. Now with both hostnames, the user logs fine,
>and the account doesn't get blocked if he types a wrong password. The
>user just needs to type it again right.
>
>That's quite a strange behaviour isn't it?

I think no.

For me the strange thing is that something work without the 2k3
hostname in the list of computers that the account is allowed to log in:

When using LDAP basic authentication against Active Directory, the
user login always happens on the Windows machine where the credential
are verified. In your config this happens on the 2k3 LDAP server.
When using NTLM (with Negotiate support) or Kerberos, the user login
happens on the user's computer.

May be that, when the password is correct, a some sort of credential
caching is used, without checking the allowed workstations. But I I
think that this could be a Windows bug.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sat Apr 22 2006 - 13:54:33 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT