[Freeipa-users] Squid negotiate auth and trust relationship

Dmitri Pal dpal at redhat.com
Wed Sep 24 01:24:40 UTC 2014 

On 09/23/2014 11:54 AM, Loris Santamaria wrote:
> Hi, I'm setting up a squid proxy in a environment with a trust
> relationship between IPA and AD.
>
> The machine where squid is running belongs to the IPA domain, users may
> belong to AD or to IPA and in each one of the domains there are groups
> that define the level of internet access of their members.
>
> For simplicity's sake, let's say that there is only one group in each
> domain called "internet_access". Its member should be granted permission
> by squid.
>
> In IPA I created an external group called internet_access_ad, whose
> member is internet_access at ad.domain.com, so if the user is a member of
> internet_access in AD it should be a member of internet_access in IPA,
> thanks to the trust relationship.
>
> The authentication part works beautifully, IPA and AD users are
> recognized by the squid proxy via negotiate auth, but the authorization
> part is another story.
>
> Since the remote user hasn't logged in vía console or ssh on the server
> where squid is running, SSSD ignores its group membership, so one can't
> use squid's pam_group helper to determine if the user is in the
> internet_access at ipa.domain.com group.
>
> Trying to lookup for membership via ldap in the compat tree doesn't
> really work (see my previous mail on the subject). Also, it won't work
> when the realm name is in upper case, although this should be really
> easy to solve in the squid helper.
>
> For the time being I will resort to make two ldap queries, one on IPA
> and one on AD, but it seems to me that the proper way to go would be to
> decode the PAC and get authorization info from there, or have a way to
> query SSSD for complete group membership of a user even if he or she
> hasn't logged in on a server.
>
> How could SSSD/IPA could help to solve this fairly common need (querying
> user membership from an app)?
I think this is the issue that you are describing.
Patches are on the list and targeting 4.1.x and 1.12.x
https://fedorahosted.org/freeipa/ticket/4031

>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/aaa06c16/attachment.htm>

More information about the Freeipa-users mailing list