Whoops. Change replace that "dc=second" with "dc=first" in the DOMAIN1 part of the script and you'll
understand what I meant. I didn't proof read after making the edits.
Cheers,
Dietrich
D & E Radel wrote:
> UK SquidUser (AXA-TECH-UK) wrote:
>> hi, i'm trying to migrate to a new platform of squid proxy servers using
>> active directory. I can't seem to find any pointers on configuring
>> squid/kerberos/samba to use multiple domains for authentication.. i've
>> configured a test box to point through a single domain using ad fine,
>> but i'm unsure if i can actually use cross domain authentication... can
>> anybody point me in the right direction please.... Kev.
>>
>> TS Data Networks
>> AXA Tech
>
> I use the following script for ldap authentication from multiple
> domains. This should be modifiable for other forms of authentication:
>
> #============================================
> #!/bin/sh
>
> # This script checks a username and password provided by squid
> # against 2 domains. If the creditials are accepted by either
> # domain, output "OK. Otherwise, output "ERR".
>
> # read from stdin until EOF is received
> while read INP; do
>
> # Use username and password to authenticate against FIRST domain
> DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth -R -b
> "dc=first,dc=my,dc=domain,dc=com" -D
> "cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w
> "admin_password" -f sAMAccountName=%s -h 192.168.1.1`
>
> # User username and password to authenticate against SECOND domain
> DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth -R -b
> "dc=second,dc=my,dc=domain,dc=com" -D
> "cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w
> "admin_password" -f sAMAccountName=%s -h 192.168.1.2`
>
> # If username and password is correct for either domain, output "OK"
> if [ "$DOMAIN1" == "OK" ]; then
> echo "OK"
> elif [ "$DOMAIN2" == "OK" ]; then
> echo "OK"
> else
> echo "ERR"
> fi
> done
> #============================================
>
>
>
> I then call this from my squid.conf with:
>
>
>
> #============================================
> # Authenticate against TWO domains using LDAP, not SAMBA
> #------------------------------------------------------------
> # Uses the custom script called multi_domains.sh which authenticates
> # against more than one domain by making multiple calls to the standard
> # /usr/lib/squid/ldap_auth program and evaluating the result. The script
> # passed either an "OK" or an "ERR" back to Squid.
>
> auth_param basic program /etc/squid/multi_domains.sh
> auth_param basic children 5
> auth_param basic realm MyCompany Proxy
> auth_param basic credentialsttl 5 hours
> #============================================
>
>
> I hope that this is useful to you.
>
> Cheers,
> Dietrich
>
Received on Tue Jul 31 2007 - 15:52:50 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT