"Joseph L. Casale" <[email protected]> wrote in message
news:ca5a491e9defbe4cb777de97e21575e906bb0...@prato.activenetwerx.local...
Here is a short overview what squid_kerb_ldap does.
1) A user authenticates with either NTLM (username will be
NT-DOM\user)
or Kerberos (username will be u...@kerb-dom)
2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
authenticated users
3) Uses DNS SRV records to find AD server for KERB-DOM
4) Uses the Kerberos Keytab to authenticate an ldap connection to AD
using SASL/GSSAPI.
5) Searches AD if the user is member of the group given by -s ( The
newer
squid_kerb_ldap version has also an -m option to allow recursive search
(e.g. check if a group is a member of another group ....)
Does this help ?
Markus,
Sure does... So by creating a computer account in AD, I can avoid the LDAP
bind account I was using with the older squid_ldap_auth helper, great.
Correct, assuming the account has been created correctly (e.g. it has to
have serviceprincipalname=HTTP/<fqdn> AND
userprincipalname=HTTP/<fqdn>@KERB-DOM set)
Thanks!
jlc
Markus
