Hi!
I have a squid-2.5dev6 where I want the users to authenticate
in the background so I chose to use NTLM. However I also
need the possibility to allow/disallow the users based on
what group they are member of. I have multiple groups in
my AD that are called "XX internetaccess". If the user is
member of any of these "internetaccess" groups they are
allowed access to the squid.
What I have done is write a perl script which uses LDAP
to communicate with the AD. The script retreives all user
names from the groups in the AD and then writes it to a textfile.
Squid uses fakeauth and checks the username in the textfile. See
below for my rules.
The script runs every hour from crontab and updates the textfile.
You need one user-account that the script can use to connect as.
I am no expert in either perl or LDAP so this script is ugly and I
would be glad to accept any changes or suggestion about how
to improve it.
Perhaps its possible to solve this in any other way and I would appreciate
any tip.
The scripts has not had any extensive testing yet so if it breaks you get
to
keep both pieces.
The rules for squid.conf
----------------
auth_param ntlm program /usr/lib/squid/fakeauth_auth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# allow access to *.skelleftea.se and .*skelleftea.org
acl skelleftea dstdomain .skelleftea.se .skelleftea.org
# hmm fungerar detta?
acl internetaccess proxy_auth "/etc/squid/iagrupp.txt"
http_access allow skelleftea
http_access allow internetaccess
http_access deny all
----------------
If anyone is interested in using this I could probably clean it up a bit.
=====================================================
Janåke Rönnblom
SKERIA Utveckling AB (Teknous)
Assistentgatan 23
931 77 Skelleftea (Sweden)
-----------------------------------------------------
Phone : +46-910-585424
Mobile : 070-3970743
Fax : +46-910-585499
URL : http://skeria.skelleftea.se
-----------------------------------------------------
perlpoet at work:die if !($ToBe);
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:41 MST