[squid-users] RE: proxyauth for certain active directory users

From: Nick Duda <nduda_at_VistaPrint.com>
Date: Wed, 29 Jul 2009 14:13:59 -0400

I have everything setup as documented but its not working. The proxy is joined to the domain, wbinfo -g/-u gives results. Without the --require-membership-of switch If I supply a valid domain users credentials it works. This is running latest build of 2.7.

The scenario is this:

Reverse proxy sitting on the DMZ
It's a reverse proxy for Microsoft Outlook Web Access
We only want certain users in AD group(s) to access it.

Current config looks like this:
 
# NTLM Authentiation
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="domain\somegroup"
auth_param ntlm children 30

# Basic authentication
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="domain\somegroup "
auth_param basic children 5
auth_param basic realm Outlook Web Access
auth_param basic credentialsttl 2 hours

http_port 80 accel vhost
https_port 443 accel vhost cert=/usr/local/squid/etc/owa/cert.pem key=/usr/local/squid/etc/owa/server.key

acl http_site dstdomain owa.domain.com
acl ssl_site dstdomain owa.domain.com
acl https_site proto HTTPS

cache_peer owa.domain.com parent 443 0 no-query originserver ssl name=owa_ssl sslflags=DONT_VERIFY_PEER
cache_peer_access owa_ssl allow ssl_site https_site
cache_peer 192.168.1.1 parent 80 0 no-query originserver name=owa_http
cache_peer_access owa_http allow http_site

acl all src 0.0.0.0/0.0.0.0
acl OWA_Allowed proxy_auth REQUIRED

http_access allow OWA_Allowed
http_access deny all

-----Original Message-----
From: Joseph L. Casale [mailto:JCasale_at_activenetwerx.com]
Sent: Tuesday, July 28, 2009 2:05 PM
To: Nick Duda; squid-users_at_squid-cache.org
Subject: RE: proxyauth for certain active directory users

>Sorry for the silly question, I've been using squid to allow access to users
>on a domain, but how can I limit access to users only in a certain security
>group on the domain.

Check the wiki out. Once they are in a group, you specify group access in the
ntlm_auth helper something like this:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUP

The group syntax should correlate to your winbind separator defined in your
smb.conf.
Received on Wed Jul 29 2009 - 18:14:18 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 30 2009 - 12:00:05 MDT