Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

From: D & E Radel <radel@dont-contact.us>
Date: Sat, 27 Aug 2005 00:32:55 +1200

Hi B.

Thanks for your reply. Yes, I am using the properties of the users
objects. I forget how many user accounts we have, but its over 200
users. It's about 20 - 40 that we are trying to restrict though.

Regards,
D.
----- Original Message -----
From: "B" <basti@mondson.de>
To: <squid-users@squid-cache.org>
Sent: Saturday, August 27, 2005 12:11 AM
Subject: Re: [squid-users] Active Directory computer login restrictions
stops Squid authentication for these users

> if i get you right, you use properties of the user objects.
>
> my first thought about this was to create organizational units in ad
> and
> restrict "logon locally" for these users in the computer objects. that
> way
> users would not have a rstriction to ip's in them but only the
> workstations
> do.
>
> due to the number of ou's (for every computer there will be one) in
> the
> directory this will only be useful with a limitde number of users and
> workstations.
>
> hope this helps.
>
> Quoting D & E Radel <radel@inet.net.nz>:
>
>> Hi there
>>
>> Squid is authenticating with no problems with our domain via LDAP.
>>
>> I wish to use the built-in Active Directory account option to
>> restrict
>> which computers a user on our domain can log into (i.e. instead of
>> being
>> able to log into 'all computers', just their own). If I enable this
>> setting, these users no longer access the www through the Squid
>> proxy.
>> Obviously there is an option to add other computer names to the list
>> of
>> computers that a user can log into (e.g. our squid box).
>>
>> Our Squid runs on Linux and has not been made a member computer of
>> our
>> domain as we are not using winbind or samba. I am not sure how to get
>> our Squid box to register its IP in the DNS server on our Domain
>> Controller. I manually added a record in the DNS, but only the full
>> computer name (including domain name suffix) resolves. There is not
>> enough space to type the whole name in, under the Active Directory
>> options.
>>
>> So I am wondering if figuring out whether investigating any of these
>> will allow me to still authenticate the users in squid as well as
>> restricting their ability to log into various local pcs. Or whether
>> it's
>> a waste of time. I am not sure on the specifics of how Squid exactly
>> interacts with AD and whether or not this is possible.
>>
>> The easiest solution is not to restrict what computers our users can
>> log
>> into. But, I'd like to figure out if it's possible to restrict them
>> and
>> still have squid authenticate them.
>>
>> Any tips or ideas greatly appreciated. Many thanks in advance. :-)
>> D.Radel.
>>
>>
>
>
> -
>
> b .
Received on Fri Aug 26 2005 - 06:32:52 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT