[squid-users] Squid+ADS - Multiple Group Based Authentication (ISA to SQUID Migration)

From: Truth Seeker <truth_seeker_3535_at_yahoo.com>
Date: Sat, 8 Aug 2009 09:02:24 -0700 (PDT)

Hi Techies,

I am on my way to migrate ISA Proxy Server to Squid Proxy Server, without any downtime. I was able to setup a simple squid server, with Samba, Winbind, Kerberos, to just authenticate users based on the ADS information, and allow access to all authenticated users, and denies for others.

Now my real situation is, i have around 7 groups in ISA, which should be available in the Squid Proxy also. When i tried to setup this one, with my previous experience in LDAP + SAMBA + Squid (all servers on Linux), it is not working for this ADS environment.

The following one worked for me...

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

This is allowing all authenticated users.

But i need to do it with 5 ADS groups, not just like above. The following are my groups.

Seniors
Engineers
guestgroup
restricted
parttime

I tried to accomplish the goal with the following (which i am using in SAMBA+LDAP+SQUID completley on Linux environment) ;

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type unix_group %LOGIN /usr/lib/squid/squid_unix_group

acl senior_acl external unix_group senior
acl engineer_acl external unix_group engineer
acl restricted_acl external unix_group restricted
acl guestgroup_acl external unix_group guestgroup
acl parttime_acl external unix_group parttime

then few access regulations to different groups...

then finally...

http_access allow senior_acl
http_access allow engineer_acl
http_access allow restricted_acl
http_access allow guestgroup_acl
http_access allow parttime_acl

http_access deny all

Any help is really appreciated!!!

- 

--
---
Always try to find truth!!!
Received on Sat Aug 08 2009 - 16:02:31 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 09 2009 - 12:00:03 MDT