I configured squid to use kerberos authentication but when I'm trying to use proxy with browser i don't get popup in browser with ask for user and password - just access denied cos of no authentication. Is it possible to configure "negotiate_kerberos_auth" to work such way?
Asked
Active
Viewed 1,013 times
4 Answers
0
If anyone is interested on how the "ldap auth" is working, search for basic_ldap_auth, LDAP authentication helper for Squid, (see man page).
Basically, you need to add something like this to squid.conf:
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -H ldap://ldap_server.example.com:389
See RedHat docs for more info.
nnsense
- 132
- 5
0
No, Kerberos won't fallback to a prompt. NTLM will. Or Negotiate if you let it do NTLM. Surely the idea is to not have a prompt at all though if you're using kerberos?
Tom Newton
- 4,021
- 2
- 23
- 28
-
I want to authenticate remote proxy users in kerberos (freeipa), users don't have locally kerberos client installed. Thought that will work same as NTLM and squid just will check if they can be authenticated in kerberos DB like NTLM is checking in the passwd file. – user3069488 Nov 20 '15 at 21:11
0
if your squid just does kerberos, then this is normal behaviour. You could configure another acl to do ldap authentication if kerberos fails, but due to the limitations of the way proxy authentication works it will be plain text.
natxo asenjo
- 5,641
- 2
- 25
- 27
0
I solved my problem by using LDAP authentication instead of kerberos. Now i have pop up window in my browser and im authenticating with same login passwords which i have in my kerberos/LDAP (FreeIPA) configuration.
user3069488
- 159
- 2
- 3
- 18