The NTLM auth helper only tags users as authorized if they are member of a AD group. The Kerberos auth helper tags a user as authorized, if he was able to log in, the group check can't be done by the Kerberos helper, so i need a external ACL programm, which checks over LDAP if this user is allowed to use squid.
I have to allow only users authorized via NTLM directly, Kerberos authorized users are allowed after the external LDAP check was successfull.
Kerberos users are displayed as sAMAccountName@REALM, e.g. "user@COMPANY.LOCAL"
NTLM users are displayed as sAMAccountName, e.g. "user"
I have this ACLs:
# External ACL helper returns OK (User is in given LDAP group)
acl ldap_group_check external squid_kerb_ldap
# Username contains character '@'
acl kerberos_without_ldap_auth proxy_auth_regex (@)
And this Rules:
# Default: Kerberos + LDAP group check
http_access allow ldap_group_check
# Fallback: NTLM
http_access allow !kerberos_without_ldap_auth
Here my question: what does the rule
http_access allow !kerberos_without_ldap_auth
mean? Do I have a security Problem in my configuration?
Does is mean "All users except users with '@' in their username" => bad thing, because then not authenticated users would be allowed too
or "All authenticated users except users with '@' in their username"? => goot thing, because then only NTLM users would be allowed (Successfull Kerberos AND LDAP users are allowed already from the first rule, because of squids "first match wins")
