[squid-users] Re: Re: squid client authentication against AD computer account

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 15 Sep 2010 22:43:43 +0100

>"Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
>news:AANLkTimRPZFwid0ehc0cBFchnDc7nV=-jStXTngMmXZp_at_mail.gmail.com...
>Thanks for the quick response Marcus.
>
>The reason I need to limit computer account and not user account is
>that people here move out to distant branches and the internet access
>policy is to allow to the position they hold, and thus the computer
>they will use.
>
>I've successfully setup the kerberos authentication but I don't see
>how squid will fetch the computer information from client request and
>authorize it based on the group membership in AD. What I wish to
>accomplish is:
>
>1. create a security group in AD
>2. add computer accounts to this security group
>3. squid checks if the computer trying to access internet is member of
>this security group.
>4. if not, don't allow access to internet or request of AD user login
>that is allowed.
>
>I'm not sure if this is achievable.
>

I don't think this is possible with Kerberos as the ticket does not have
(usable) information about the client computer.

>Thanks for the help.
>Manoj
>
>On Wed, Sep 15, 2010 at 12:28 AM, Markus Moeller
><huaraz_at_moeller.plus.com> wrote:
>>
>> "Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
>> news:AANLkTinGXTOwX+AysRVGoasEiqRS1qrMX2VYM8t5i3Aj_at_mail.gmail.com...
>>>
>>> Hi all.
>>>
>>> I've been trying to setup this squid box with authentication to AD
>>> 2003 server. The need in our situation is to allow the workstation
>>> allow access to internet and not the user since the users are always
>>> moving from station to station. I've already setup kerberos
>>> authentication successfully. I've searched through the list for any
>>> thing related to authorizing computer account but found none..
>>>
>>
>> Why do you want to limit the computer not the user ? I assume the user
>> login
>> to the stations with their credentials, so moving stations should not be
>> an
>> issue or ?
>>
>>> I'm not very familiar with ldap queries. any help would be greatly
>>> appreciated.. i'm trying to use squid_kerb_ldap for ldap
>>> authorization...
>>>
>>>
>>
>> squid_kerb_ldap will connect to AD and determines if a user is a member
>> of
>> an AD group. The connection to AD is authenticated using the Kerbeors key
>> from the squid keytab file and the AD server is found by using SRV DNS
>> records which are usually defined in a Windows environment with AD.
>>
>>> Thank you very much for your help.
>>>
>>> Regards
>>> Manoj
>>>
>>
>>
>>
>
Received on Wed Sep 15 2010 - 21:44:00 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT