RE: [squid-users] Pb ldap with SquidNT

Thanks Guido !
It work fine....
But I'm on a test machine.
In production, the server will not be on the AD domain....
So I can't use the win32 program... :(
Do you know the ldap authentification ?
Thanks !

Jérôme

-----Message d'origine-----
De : Serassio Guido [mailto:guido.serassio@acmeconsulting.it]
Envoyé : lundi 26 juin 2006 11:59
À : Jerome; 'Henrik Nordstrom'
Cc : squid-users@squid-cache.org
Objet : RE: [squid-users] Pb ldap with SquidNT

Hi Jerome,

At 10.56 26/06/2006, Jerome wrote:

>OK Guido !
>
> >You need two components for user authentication /authorization:
> >
> >- An authentication helper for USER AUTHENTICATION, this could be
>win32_auth.exe (basic authentication) or win32_ntlm_auth.exe (NTLM
> >authentication)
>
>Why I can't use the squid_ldap_auth.exe for authentification ?

win32_auth is more simple to use in a Windows domain.

>I can't use the win32_auth.exe because squid is not on the same server
>like my AD... Or I don't understand how win32_auth.exe running... ;-)

The second ... :-)

It's very simple (assuming that your squid machine is MEMBER of your AD):

You must use the "domain\user" notation for the username.

> >- An External ACL helper for Windows group based USER AUTHORIZATION,
> >this
>could be win32_check_group.exe (native Windows groups)
>
>I have tested win32_check_group.exe in commande line and it work !! OK !
>
> >What you don't need is the local group support of win32_auth.exe.
>
>Have you an example of authentifiaction/authorization with
>win32_auth.exe or other for a AD and squidNT running on 2 differents
servers ?

Yes:

auth_param basic program c:/squid/libexec/win32_auth.exe auth_param basic
children 2 auth_param basic realm Squid proxy-caching web server auth_param
basic credentialsttl 2 hours auth_param basic casesensitive off

external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G

acl ProxyUsersMember external NT_global_group ProxyUsers acl password
proxy_auth REQUIRED acl our_networks src 172.30.0.0/16

http_access allow password our_networks ProxyUsersMember

http_access deny all

In the previous example, only the domain users member of the Domain GLOBAL
Group "ProxyUsers" are allowed to use the proxy when the request comes from
the 172.30.0.0/16 subnet.

You need to run Squid on a machine member of the AD Domain: it's a
prerequisite for win32_auth and win32_check_group.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Jun 26 2006 - 10:27:23 MDT