Re: [Freeipa-users] Squid negotiate auth and trust relationship
On 09/23/2014 11:54 AM, Loris Santamaria wrote: Hi, I'm setting up a squid proxy in a environment with a trust relationship between IPA and AD. The machine where squid is running belongs to the IPA domain, users may belong to AD or to IPA and in each one of the domains there are groups that define the level of internet access of their members. For simplicity's sake, let's say that there is only one group in each domain called "internet_access". Its member should be granted permission by squid. In IPA I created an external group called internet_access_ad, whose member is internet_acc...@ad.domain.com, so if the user is a member of internet_access in AD it should be a member of internet_access in IPA, thanks to the trust relationship. The authentication part works beautifully, IPA and AD users are recognized by the squid proxy via negotiate auth, but the authorization part is another story. Since the remote user hasn't logged in vía console or ssh on the server where squid is running, SSSD ignores its group membership, so one can't use squid's pam_group helper to determine if the user is in the internet_acc...@ipa.domain.com group. Trying to lookup for membership via ldap in the compat tree doesn't really work (see my previous mail on the subject). Also, it won't work when the realm name is in upper case, although this should be really easy to solve in the squid helper. For the time being I will resort to make two ldap queries, one on IPA and one on AD, but it seems to me that the proper way to go would be to decode the PAC and get authorization info from there, or have a way to query SSSD for complete group membership of a user even if he or she hasn't logged in on a server. How could SSSD/IPA could help to solve this fairly common need (querying user membership from an app)? I think this is the issue that you are describing. Patches are on the list and targeting 4.1.x and 1.12.x https://fedorahosted.org/freeipa/ticket/4031 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Squid negotiate auth and trust relationship
Hi, I'm setting up a squid proxy in a environment with a trust relationship between IPA and AD. The machine where squid is running belongs to the IPA domain, users may belong to AD or to IPA and in each one of the domains there are groups that define the level of internet access of their members. For simplicity's sake, let's say that there is only one group in each domain called "internet_access". Its member should be granted permission by squid. In IPA I created an external group called internet_access_ad, whose member is internet_acc...@ad.domain.com, so if the user is a member of internet_access in AD it should be a member of internet_access in IPA, thanks to the trust relationship. The authentication part works beautifully, IPA and AD users are recognized by the squid proxy via negotiate auth, but the authorization part is another story. Since the remote user hasn't logged in vía console or ssh on the server where squid is running, SSSD ignores its group membership, so one can't use squid's pam_group helper to determine if the user is in the internet_acc...@ipa.domain.com group. Trying to lookup for membership via ldap in the compat tree doesn't really work (see my previous mail on the subject). Also, it won't work when the realm name is in upper case, although this should be really easy to solve in the squid helper. For the time being I will resort to make two ldap queries, one on IPA and one on AD, but it seems to me that the proper way to go would be to decode the PAC and get authorization info from there, or have a way to query SSSD for complete group membership of a user even if he or she hasn't logged in on a server. How could SSSD/IPA could help to solve this fairly common need (querying user membership from an app)? -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project