any one done this (methinks I know who has)??
There was that time with the squid and the LAPD and the phone directory but I don't want to talk about it...
Quote from: Rick Chisholm on September 10, 2010, 10:35:02 AM
any one done this (methinks I know who has)??
Yes, minus the ldap piece methinks. In fact, i learned it all, then did it again recently through a utility of some sort and it was less complicated.
Just add the squid box to AD and use NTLM auth in your squid conf. If that doesn't do the trick, there may be more to it and you are welcome to have my config files for a working reference if you'd like.
If you'v already tried and did not succeed, make sure you have winbindd.
::edit::
Oh, and I don't think it works via transparent proxy.
I'm having a "low voltage" day, so don't flame me for the following question: Why would you want both? (LDAP and AD)
Quote from: insurebaltimore on September 17, 2010, 10:52:03 AM
I'm having a "low voltage" day, so don't flame me for the following question: Why would you want both? (LDAP and AD)
Low voltage here as well, but I think that it used to be common to use ldap instead of full AD integration. Now, you can just add your *nix right to AD, no worries.
Yeah, I guess if your stack o' *nix workstations are not AD integrated, then it would make sense to have dual authentication.
I know it's fairly simple to get Debian to join a domain. I dunno about BSD.
BSD is pretty much the same - just add Samba more or less...
Now a couple roadblocks I am going to run into using NTLM_AUTH are:
1) the weak NTLM hash is a security concern
2) NTLM is somewhat deprecated, esp. with 2008 Server
I'm going to give it a whirl regardless and deal with the above after the fact.
This message is a bit delayed.. but you started the thread before I signed up :P
Definitely do-able, as I'm sure you've figured out by now. NTLM with Windows 2008 is still possible, but you have to force the server to be able to negotiate at NTLMv1 when required, or switch to something like Kerberos for authentication.
I opted for the former at the time and haven't had a chance to revisit it. Odds are you'll probably only run into issues depending on scale and the version you're using. Most commonly, you'll see some slow memory leaks in the ntlm_auth helper. I'm not sure what the ratio is, but I have a few thousand users hitting it constantly for an average of 1.5 million requests per day. After a few days, some of the ntlm_auth helpers are sitting around 700 MB of RAM each. Nothing a quick Squid restart won't fix, though.
First of all, +1 for contributing right off the bat and second of all WELCOME! We can always use new guinea pigs here in the labs. ;)
Thanks Joshua - yer gonna be handy to have around!
As it so happens, this project got back-burnered and I'm going to take another run at it soon. Need to cobble an old server back together for the test bed and then we're off to the races.
Going to give BSD another shot, but if that fails, Ubuntu LTS or Centos are likely next up.
My current server is running on CentOS 5 (in VM). Starting fresh from 6 would be a better option, though, as you would go from 2.6 to 3.1.4 (at the moment). In your case your version on BSD will probably be more up to date, so you may not see the same issues that I did. It could be largely due to load in my case too. On an average day this thing is sucking down a fairly constant 15 Mbps of web traffic alone.
currently the enterprise is spread across 4 proxies, I'd like to get that down to two with proper auth allowing for better permission control for who can get to what and when...
Assigning different Squid ACL's to A.D. groups is definitely a plus. In theory adding something like Dansguardian into the mix for content level filtering is useful too, but I never had time to investigate that side of it.
For the most part I let the users surf where they want, but I parse out the access.log to look for obvious signs of abuse (porn for lunch?) and dump it into SQL for reporting.
Been using SquidGuard for URL content filtering for a while now - pretty happy with it. For logging / review I use a combination of SARG and calamaris. I've recently added a DNS sinkhole to the mix, waiting for corporate buy-in on that project.