Re: [squid-users] Squid and Active Directory from Matt Alexander on 2004-11-04 (squid-users)

From: Matt Alexander <lowbassman@dont-contact.us>
Date: Thu, 4 Nov 2004 00:32:30 -0700

Samba will need to be installed, but you only need to run the winbindd
process which doesn't actually listen on a TCP/UDP port, but is called
by Squid using a Unix pipe.

On Thu, 4 Nov 2004 01:46:40 -0000, John <john.rushe@tiscali.co.uk> wrote:
> Hi Matt,
>
> Thanks for the reply. Does this mean that I need to set up and run samba
> server on the squid box? My company security team are against running samba
> as they consider samba to be inherently insecure. Is there a way to run
> squid with Active Directory for authentication without having to include
> samba?
>
> Thanks & regards
>
> John
>
>
> ----- Original Message -----
> From: "Matt Alexander" <lowbassman@gmail.com>
> To: <squid-users@squid-cache.org>
> Sent: Thursday, November 04, 2004 12:03 AM
> Subject: Re: [squid-users] Squid and Active Directory
>
> > You'll need to edit your samba config file for your particular domain,
> > start winbindd, and add the following to your squid.conf:
> >
> > auth_param ntlm program
> > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 20
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 30 minutes
> > auth_param basic program
> > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Web Proxy
> > auth_param basic credentialsttl 2 hours
> > external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
> > /usr/lib/squid/wbinfo_group.pl
> > acl winbind proxy_auth REQUIRED
> > acl internetusers external nt_group internet
> > http_access allow internetusers
> > http_access deny all
> >
> > The above also contains the additional requirement that users must be
> > in the Windows "internet" group. If you don't need this then you can
> > remove the internetusers acl and the wbinfo_group.pl line. Then
> > change http_access to allow winbind.
> > ~Matt
> >
> >
> > On Wed, 3 Nov 2004 22:45:49 -0000, John <john.rushe@tiscali.co.uk> wrote:
> >> Hi
> >>
> >> My site is moving away from LDAP to Active Directory for authentication
> >> for our internet users going through the Squid proxy server. In order to
> >> get
> >> squid to talk to active
> >> directory for user authentication, it is also a requirement to set up,
> >> configure and run samba? I had hoped that switching to active directory
> >> would just mean tweaking the existing LDAP auth_param directive.
> >>
> >> Regards
> >>
> >> John
> >>
> >>
> >
> >
> > --
> > Get Firefox!
> > http://www.mozilla.org/products/firefox/
>
>

-- 
Get Firefox!
http://www.mozilla.org/products/firefox/

Received on Thu Nov 04 2004 - 00:32:31 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST