Re: [SQU] help with ntlm authentication needed

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Thu, 2 Nov 2000 14:03:02 +0100 (MEZ)

On Thu, 2 Nov 2000, Jakob Curdes wrote:

> I want to set up squid so that the user name is gathered from the nt domain controller.
> I managed to get the ntlm authentication working. Now the second point is that I want to
> restrict proxy access to certain users or a certain group. How can I achieve this ?

I understand your NTLM authentication basically works. To restrict
certain users for different things, you can just have different acls,
like:

acl password proxy_auth REQUIRED ## Anyone with a valid account

acl SPECIAL proxy_auth domain\admin domain\boss ## Those two users, you
   might give the user list in a seperate file for readability with the
   standard "<filename>" acl syntax.

Now things like:

http_access deny CONNECT !SPECIAL
http_access allow all

are possible provided CONNECT and all are valid / the default acl
definitions.

AFAIK, you cannot do any special filtering based on Windows groups. NTLM
authentication does not provide this info.

> The problem is that as squid matches the first acl operator, after the successful
> authentication with the nt domain controller how do I impose further restrictions ?

As I said above. There was squid version not soo long ago with a bug which
made NTLM authentication fail if you had to pass more than one proxy_auth
acl. Maybe you just need to get the very latest squid version?

> And if I place another acl operator containing a group or user restriction before
> the proxy_auth term, I get the user/password dialog that I wanted to avoid.

I do not fully understand. What kind of other acl operator? I don't
understand what you mean by group restriction. Maybe you are about to
configure a normal (not ntlm) authentication in addition to the ntlm
authentication?

Please clarify.

Finally, there is apperently a bug/flaw in squids ntlm handling or ntlm in
general (probably the latter).

You'll get regularly popping up authentication prompts which are not
related to your acl's at all.

To avoid this, run one NTLM authenticator child only (default 5) and don't
touch the default NTLM authenticator program timeout options. (challenge
refresh must occur at <40 minutes, from my experience).

Michael.

> Or am I on the wrong track ? Is there a solution which uses a group or user scheme on
> the nt domain controller (as ms proxy does) ?

On contrary to doing 'normal' proxy authentication (with prompts) and
samba/windows accounts there is (currently?) no way to specify windows
groups of users with different access with NTLM. Even in the normal case,
I think you only have one authenticator scheme, so you can define only one
'pool' of allowed windows accounts. Not one windows group allowing access
to site A and one providing access to site B.

Such fine grained access permissions are to be made on the squid site.

 
> Any hints welcome,
> Jakob Curdes
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Nov 02 2000 - 06:05:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:13 MST