Re: [squid-users] How to obtain auth mask by ie if the domain user haven't correct rights?

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Tue, 29 Mar 2005 19:26:04 +0100

Hi,

At 23.35 28/03/2005, eupec@supereva.it wrote:

>Hi,
> I would make the following authentication scheme with squid, if
> possible :)
>
>My scenario: Windows 2000 Server (that acts as AD domain controller) +
>SquidNT 2.5.STABLE9 installed on it; domain clients are w98, w2k, wxp with
>IE 6 SP1. There's a group in AD called "internet", and the members of this
>group have rights to surf the web.
>
>If a user is member of "internet" group, he logs in the domain and can
>browse the net -this is very simple to do with win32_check_group.exe
>helper and appropriate acl, I made it and works fine. If an user, member
>of domain users and not included in "internet" group logs into domain,
>naturally he can't surf (he isn't member of "internet" group); I would, in
>this case, that a login mask is presented by the browser, because can
>happen that someone have the right username/password (=is member of
>"internet" group) and permit the surf to this limited user, without have
>to log-off and log-in the domain again with different credentials.
>Essentially squid have to do a new membership check for new account nested
>in the first -that grants the domain membership but not the faculty to
>surf the web.
>
>
>ISA server have this kind of behavior, and if could re-create with squit
>it would be pretty nice.

I know the ISA Server behaviour.

What you asking for, is trigger again an authentication request to the
browser when the user authentication is correct, but an external acl, or
any other acl, deny the access to Squid.

Some network administrators don't like this because allow the change of
user credentials even using NTLM transparent authentication schema.

You can open a feature request on Bugzilla.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Mar 29 2005 - 11:26:30 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST