If you want to use 'Basic' Auth whereby when a user requests access to
the internet they are asked for their active directory username and
password, you need to define a few things.
First the source of the authentication, in this case the LDAP service
from your active directory server.
Something like this:
auth_param basic program /usr/lib/squid/ldap_auth -b <BaseDN of where
active directory is> -f (cn=%s) -H ldap://active_directory_hostname
Next is an new type of ACL (access control list) called 'external'
which makes squid consult another source to find out whether some
object is allowed or not. Something like this:
external_acl_type internetusersgroup %LOGIN
/usr/lib/squid/squid_ldap_group -b <BaseDN where active directory is>
-f (&(cn=%u)(memberOf=%g)) -H ldap://active_directory_host -S
Then you need to define an ordinary ACL that calls the proxy
authentication request - so the user sees the username/password dialog:
acl authenticate_user proxy_auth REQUIRED
Finally an ACL that says ask the external ACL type you defined if the
user is in the group:
acl internetusers external internetusersgroup cn=internetusers,<BaseDN
of active directory as above>
Then you can say
http_access allow internetusers authenticated_user
So if the user enters their credentials AND is in the active directory
group you defined, then they will be allowed access.
Obviously you will need more settings such as further http_access rules
for your site and there are several timeout settings associated with
this setup.
The various components are reasonably well documented. Most of the
answers are there.
cheers
r.
> AybOwan!
>
> this is my first question for the list.
>
> i want to deploy a proxy server for my company to manage
> authentication for internet users. our main network is running on
> windows 2000 server domain. i created a group on active directory
> called "internetusers". i need to enable all "internetusers" group
> members to browse internet. how can i do this by deploying squid-cache
> proxy server?
>
> Linux Distro:- mandrake 10.2 official
> windows version:- windows 2000 server
> have 1 adsl router+2 nics.
>
> can you please, guide me to success my project
>
> --
> Linux everywhere
Received on Tue Mar 01 2005 - 03:45:22 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:01 MST