[Freeipa-users] Squid negotiate auth and trust relationship

Loris Santamaria loris at lgs.com.ve
Tue Sep 23 15:54:41 UTC 2014 

Hi, I'm setting up a squid proxy in a environment with a trust
relationship between IPA and AD.

The machine where squid is running belongs to the IPA domain, users may
belong to AD or to IPA and in each one of the domains there are groups
that define the level of internet access of their members.

For simplicity's sake, let's say that there is only one group in each
domain called "internet_access". Its member should be granted permission
by squid.

In IPA I created an external group called internet_access_ad, whose
member is internet_access at ad.domain.com, so if the user is a member of
internet_access in AD it should be a member of internet_access in IPA,
thanks to the trust relationship.

The authentication part works beautifully, IPA and AD users are
recognized by the squid proxy via negotiate auth, but the authorization
part is another story.

Since the remote user hasn't logged in vía console or ssh on the server
where squid is running, SSSD ignores its group membership, so one can't
use squid's pam_group helper to determine if the user is in the
internet_access at ipa.domain.com group. 

Trying to lookup for membership via ldap in the compat tree doesn't
really work (see my previous mail on the subject). Also, it won't work
when the realm name is in upper case, although this should be really
easy to solve in the squid helper.

For the time being I will resort to make two ldap queries, one on IPA
and one on AD, but it seems to me that the proper way to go would be to
decode the PAC and get authorization info from there, or have a way to
query SSSD for complete group membership of a user even if he or she
hasn't logged in on a server.

How could SSSD/IPA could help to solve this fairly common need (querying
user membership from an app)? 

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5720 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/f0e35297/attachment.bin>

More information about the Freeipa-users mailing list