Re: [squid-users] howto configure 2 NT groups of users for internet access

I used squidguard to control this. The same techniques may be useable for
Squid acl lists as well.

Basically I have a pair of perl scripts scheduled every 10 minutes. On the PDC
a script creates two lists of users. One for the "inet-restricted" group and
another for the "inet-full" group.

On the FreeBSD box, a script grabs the two files off the NT server to use as
user lists for squidguard. If the files have been updated, it issues a
"squid -k reconfigure."

I then use SquidGuard acls and blacklists to control access. Basically,
everyone is allowed access to my blacklist named "whitelist," to get anywhere
else, they need to be on the inet-full user list.

The biggest negative I see is that the same user may have three different
names in squid's eyes:

domainname\username - For "transparently" authenticated NTLM users.
\username - For "pop-up" dialog NTLM users who don't enter the domain portion
of the dialog.
username - For basic(smb_auth) users.

My script just generates all three variant in the list. This is fine for a
single domain installation, and may be acceptable for a multi-domain config.
If you can't live with it, the only solution would be to "force" the user's to
enter the domain name portion for all login types.

Jerry

----- Original Message -----
From: "Van Bossche Koen" <Koen.VanBossche@KONE.com>
To: <squid-users@squid-cache.org>
Sent: Tuesday, October 30, 2001 3:37 AM
Subject: [squid-users] howto configure 2 NT groups of users for internet
access

> Hi all,
>
> I have 2 NT groups on the BDC for Internet Access, one for limited access
> (just a dozen urls) and one group for full access. I configured squid for
> the full access users with NTLM and SMB_auth method of authentication.
>
> I think I can have it done using 2 parallel squid configurations with 2
> squid.conf files. However I would prefer to have it done within the same
> squid.conf configuration.
>
> Configuration for full access would be :
> # Modification: Authenticate with NTLM for IE
> auth_param ntlm program /opt/squid/libexec/squid/ntlm_auth DOMAIN\bdc
> DOMAIN\bdc2
> auth_param ntlm children 8
> auth_param ntlm max_challenge_reuses 1
> auth_param ntlm max_challenge_lifetime 2 minutes
> # Modification: Authenticate with basic for Netscape
> auth_param basic program /opt/squid/libexec/squid/smb_auth -W DOMAIN
> auth_param basic children 8
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> authenticate_ttl 36000 minutes
> ...
> acl internetacl proxy_auth REQUIRED
> http_access allow internetacl
>
> For the limited users it should be something like this acl :
> Idem for authentication. For SMB_AUTH I could use it with -S parameter with
> something like \\netlogon\proxyauth-limited
> acl allowed_sites url_regex -i "/etc/squid/sites.txt"
> http_access allow allowed_sites
> http_access deny all
>
> However I do not figure out how I can configure this for 2 NT GROUPS with
> each different kind of access.
> Can someone help me with this one?
>
> Best Regards,
> ./koen
>
>
>
> Koen Van Bossche
>
> KONE International SA
> KCO Telecom
> Ave E. Van Nieuwenhuyse, 6
> B - 1160 Brussels, Belgium
> Tel : +32 (0)2 676.93.81
> Fax : +32 (0)2 676.93.91
>
>
Received on Tue Oct 30 2001 - 07:40:51 MST