RE: [squid-users] Can't see usernames in logs after enabling NTLM

From: Chris Robertson <crobertson@dont-contact.us>
Date: Mon, 7 Feb 2005 16:06:36 -0900

> -----Original Message-----
> From: Oliver Hookins [mailto:ohookins@gmail.com]
> Sent: Monday, February 07, 2005 3:34 PM
> To: Chris Robertson
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Can't see usernames in logs after enabling
> NTLM
>
>
> Chris Robertson wrote:
>> If you want all requests to be authenticated first, use "http_access deny
>> !AuthGroup" at the top. That way any requests from sources that are not
>> authenticated will be denied and asked for authentication. Requests that
>> are authenticated will pass on down to the next ACL (not being explicitly
>> denied, but not explicitly allowed either).
>
> The authentication method is just passing through fakeauth to grab
> usernames anyway so it's not quite authentication as such. But basically
> we want all requests to pass through fakeauth in order to grab usernames.
>
> Then we want to:
> * allow access to anyone who is authorised by LDAP group
> * requests that aren't LDAP group authorised but ARE on the SURFING IP
> ACL list should be allowed
> * requests that aren't LDAP authorised and aren't from an IP on the
> SURFING ACL but are to an allowedsite should be allowed
> * deny everything else
>
> http_access allow AuthGroup
> http_access allow SURFING
> http_access allow allowedsites
> http_access deny all
>
> Will that do it, and grab authentication details for every request?
>
>
> Thanks,
> Oliver

Here is how I read your setup:

Everyone is prompted for authentication (which is passed to fakeauth_auth,
and so passes) and the credentials are tested against LDAP (http_access
allow AuthGroup). If the credentials map to an allowed group the person
surfs wherever they wish, otherwise the client IP is checked against allowed
sites. If the client IP is listed in SURFING they are allowed to surf
wherever they wish, otherwise their destination domain is checked against
allowedsites. If found, the request is allowed.

So to be denied, it has to be someone not in an authorized LDAP group,
surfing from a computer not in the SURFING IP range going to a site not
listed in allowedsites. In any case, all transactions are logged to
whatever name the surfer provided to the authentication request.

That should about cover it...

Chris
Received on Mon Feb 07 2005 - 18:08:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST