Step 7. Enable Basic LDAP authentication on SquidΒΆ

If browser does not support Kerberos and/or NTLM authentication, it is possible to setup basic authentication against LDAP interface of Active Directory. Be aware that in this case the username/password credentials are sent in clear text from browser to Squid! The authentication will be done by trying to (re)bind to LDAP server using provided credentials and doing a search. If (re)bind is successful then user is considered authenticated.

In order to enable NTLM authentication on your proxy box, navigate to UI / Squid / Auth / Active Directory select the Basic LDAP Authenticator tab. Check Enable on the following screen and then Save Changes. The domain controllers to connect to are taken from Domain Information page described at the previous Step 4. Link to Active Directory domain.

../../../_images/ldap_enable2.png

Note

When basic authentication is used you MUST specify logon name (sAMAccountName) as your username in proxy authentication popup box. For example if your user principal name is john.rambo@example.lan then put only john.rambo in the pop up auth box.

../../../_images/auth_box2.png

Danger

Basic LDAP will only work for browser initiated authentication. System initiated authentication will not work. For example, checks for HTTPS certificate revocation status in Internet Explorer will fail as described in article Basic LDAP with Crypto API and Internet Explorer.