SSO with AD, Kerberos and squid ???

Matthew Smith matt at forsetti.com
Wed Apr 30 08:14:50 EDT 2003


greg wrote:
> Hi all
> 
> This is the situation : In a network with win2000 servers, users on
> win2000 machines access internet trough a squid proxy. Active
> directory or openldap, depends on the solution of the current problem,
> is going to be set up. I'd like squid to permit access to internet
> only to users who are allowed to (kind of craziness, no?!?),
> permissions being declared in openldap or AD.
> 
> This can be done with squid_auth_ldap module, but this require a
> password each time a user want to acces internet and I don't want
> password anymore!
> 
> So is there a solution for that? I imagine the solution would be
> Active Directory + Kerberos, like in sso mechanism, but is there a
> kerberos support for squid?
> Maybe I'm on a wrong way?
> 
> If any suggestion...
> 
> --greg

   Although Internet Explorer (5.x and higher, I think) is "Kerberized", 
I think you'll have a hard time finding any proxy server that is also 
kerberized (unless maybe MS Proxy?).  On top of that, I don't know of 
any other kerberized browsers, so all of your users would have to be 
using IE.

   Sort of chicken and egg -- nobody is writing kerberized browsers, 
'cuz there aren't any kerberized web servers (except IIS), but no one is 
writing kerberized web servers, 'cuz there aren't any kerberized 
browsers.....

Although, I may be wrong -- if anyone knows of up and coming kerberos 
additions to mozilla or "kerberizing" mods for apache (not mod_krb5), 
I'd be intertested in hearing about it too.

-Matt



More information about the Kerberos mailing list