Re: [squid-users] Squid Authentication Methods from D & E Radel on 2006-01-11 (squid-users)

From: D & E Radel <radel@dont-contact.us>
Date: Thu, 12 Jan 2006 08:37:39 +1300

Hi there,

Here is a solution that would work. You could call a custom script from
your squid.conf e.g.

  auth_param basic program /etc/squid/my_custom_script.sh
  auth_param basic children 5
  auth_param basic realm Squidward Proxy
  auth_param basic credentialsttl 5 hours

My script goes something like this

#!/bin/sh
# read from stdin until EOF is received

    while read INP; do
    # Use username and password to authenticate against AD domain number
1
    DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth ....(edited)

# User username and password to authenticate against AD domain
number 2
DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth ....(edited)

    # If username and password is correct for either domain, output "OK"
    if [ "$DOMAIN1" == "OK" ]; then
        echo "OK"
    elif [ "$DOMAIN2" == "OK" ]; then
        echo "OK"
    else
        echo "ERR"
    fi
    done

The above script authenticates against one domain, and if fails it tries
the other domain. You could modify the second lookup in this script to
check against a plaintext file instead of a 2nd domain. Instead of
calling ldap_auth the 2nd time, call another custom script (call it
plaintext_check.sh or something) that checks the username and password
against a plaintext file and returns OK or ERR accordingly to the first
script (above). Modify above line to call your 2nd script:
DOMAIN2=`echo $INP | /usr/share/custom_scripts/plaintext_check.sh`

Non-standard, but you could get it to work if you can write shell
scripts..
D.Radel.

----- Original Message -----
From: "Mark Elsen" <mark.elsen@gmail.com>
To: "Paolo Biancolli" <paolob@cns.wits.ac.za>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, January 11, 2006 10:09 PM
Subject: Re: [squid-users] Squid Authentication Methods

> Hi all,
>
> Is it possible to authenticate using a flat text file as well as using
> MS
> Active Directory? We are currently rolling out AD and may need to have
> 2
> different authentication methods.
>

I presume "as well" means that if the user is not in AD,look it up
in the flat tx file.
It doesn´t x work that way.When both schemes are configured , the
browser will use the strongest auth. scheme as a SINGLE source for
the current auth. request.

M.
Received on Wed Jan 11 2006 - 12:37:45 MST

This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST