RE: [squid-users] Authing to ADS NT Groups in a file

From: Jason Oakley <Jason.Oakley@dont-contact.us>
Date: Thu, 28 Oct 2004 12:49:48 +1000

Okay. Seems to be working on my FreeBSD box.

For anyone who wants to know in the future.. setting up Squid to Authenticate via Samba3 to Active Directory Services:

squid.conf....

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

....

# Define the group
external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl

# Use the group
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl LoggedInUsers proxy_auth REQUIRED

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow AllowedNTUsers LoggedInUsers
http_access deny !AllowedNTUsers
http_access deny !LoggedInUsers

# And finally deny all other access to this proxy
http_access deny all

Put the NT Groups to auth against into allowedntgroups:

eg

$ cat /usr/local/etc/squid/acls/allowedntgroups
"ITDepartment"
"IT Help Desk"

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------
Received on Wed Oct 27 2004 - 20:52:02 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST