[squid-users] proxy auth hosts and active directory

hello

I have proxy auth turned on here and it uses the squid_ldap_auth and
squid_ldap_group helpers to query an Active Directory Server with a
search for valid credentials and group membership in order to determine
access.

All works fine.

Three questions.

Firstly, in the external_acl_type directive, -h hostname defines the
Active Directory server to query. Can I specify for redundancy purposes
more than one hostname?
If not is there any other way to establish some sort of redundancy?
Can I define external_acl_type twice each with different -h hostname
specifications?
If so do I then have to have two 'acl aclname external...' directives?

Secondly, I am about to deploy a second squid box for redundancy
purposes. How, if at all, is the proxy authentication kept in sync
between the two?
If browser has a config that says try proxyA then ProxyB, so it
contacts proxyA and does the auth, then proxyA disappears, does the
browser have to re-authenticate with ProxyB at next http request or can
the auth data be made available on proxyB?
If so, how?
If its not kept in sync and browser must re-authenticate against second
proxy, does this mitigate against an architecture of having a
round-robin proxy server arrangement, whereby browser can be given a
different proxy for each request (via rr dns or other mechanisms)?
For proxy auth scenarios is it recommended that proxies are designated
as primary and backup(s) rather than equals?

Lastly, (not strictly a squid question) so far we have around 25 users
using proxy auth - largely as a testing set - eventual production will
deal with about 1500 users. Of those 25, one Active Directory user does
not work. Clearly this is an issue within AD for that userid. Has
anyone seen or know of any particular quirks in AD userids that stop it
working?
The credentials, user/pass, are accepted (ie they are not prompted for
again as in the case of being incorrect) but won't accept that the user
has access by dint of being in the relevant group, even though they
certainly are, and are redirected in accordance with the squid config
to the page that tells them they're not allowed. Weird. I have tried
turning on squid debugging and have also sniffed the traffic to /from
AD, but no real clues.

many thanks

rolf.
Received on Wed Nov 17 2004 - 20:01:54 MST