RE: [squid-users] Pb ldap with SquidNT from Serassio Guido on 2006-06-26 (squid-users)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Mon, 26 Jun 2006 11:58:59 +0200

Hi Jerome,

At 10.56 26/06/2006, Jerome wrote:

>OK Guido !
>
> >You need two components for user authentication /authorization:
> >
> >- An authentication helper for USER AUTHENTICATION, this could be
>win32_auth.exe (basic authentication) or win32_ntlm_auth.exe (NTLM
> >authentication)
>
>Why I can't use the squid_ldap_auth.exe for authentification ?

win32_auth is more simple to use in a Windows domain.

>I can't use the win32_auth.exe because squid is not on the same server like
>my AD... Or I don't understand how win32_auth.exe running... ;-)

The second ... :-)

It's very simple (assuming that your squid machine is MEMBER of your AD):

You must use the "domain\user" notation for the username.

> >- An External ACL helper for Windows group based USER AUTHORIZATION, this
>could be win32_check_group.exe (native Windows groups)
>
>I have tested win32_check_group.exe in commande line and it work !! OK !
>
> >What you don't need is the local group support of win32_auth.exe.
>
>Have you an example of authentifiaction/authorization with win32_auth.exe or
>other for a AD and squidNT running on 2 differents servers ?

Yes:

auth_param basic program c:/squid/libexec/win32_auth.exe
auth_param basic children 2
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G

acl ProxyUsersMember external NT_global_group ProxyUsers
acl password proxy_auth REQUIRED
acl our_networks src 172.30.0.0/16

http_access allow password our_networks ProxyUsersMember

http_access deny all

In the previous example, only the domain users member of the Domain
GLOBAL Group "ProxyUsers" are allowed to use the proxy when the
request comes from the 172.30.0.0/16 subnet.

You need to run Squid on a machine member of the AD Domain: it's a
prerequisite for win32_auth and win32_check_group.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Jun 26 2006 - 03:59:05 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:02 MDT