Re: [squid-users] transparent proxy with Active Directory Login

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 14 May 2009 13:11:34 +1200 (NZST)

> OK I got transparent proxy working and I have Active Directory logging
> working (the Active directory documents need a little work I'll see if
> I can find time to update them. I have it working with centos 5.2 with
> setting the proxy in the web browser)
> However I was hoping that when I take the proxy option out of the web
> browser that it would still use the Active Directory login info. (I
> get the default access denied option) Is there a way to get it to use
> the automatic ntlm authentication info with a transparent proxy?

No.

> or
> even a way for them to login?

Users no. Machines yes. (see below)

> Or do I need to create a group policy
> and/or tell users how to setup a proxy in all the users computers for
> IE and firefox?

That is preferable.

> It is no secret it just seems like a pain in the ass
> going around setting it up. And you all know how it is dealing with
> users.
>

The problem is that browsers have security that prevents them sending
private login credentials to random machines on the network. Understand
why?

When in transparent mode the proxy _is_ a malicious hijacker. Transparent
interception is called man-in-middle attack by security people. The
browser is behaving properly and Squid has no way of receiving the users
credentials from it.

What can be done is to glean some details such as machine IP and do some
local not-quite-auth testing on it to see who is logged in and get their
username back (NP: not password). AD may be able to map IP to current
user. This has to be done in the background with an external_acl_type
helper. It's called out-of-band authorization.

Amos
Received on Thu May 14 2009 - 01:11:46 MDT

This archive was generated by hypermail 2.2.0 : Sat May 16 2009 - 12:00:02 MDT