Re: [squid-users] Squid+ADS - Multiple Group Based Authentication (ISA to SQUID Migration)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 09 Aug 2009 14:28:41 +1200

Truth Seeker wrote:
>
> Hi Techies,
>
> I am on my way to migrate ISA Proxy Server to Squid Proxy Server, without any downtime. I was able to setup a simple squid server, with Samba, Winbind, Kerberos, to just authenticate users based on the ADS information, and allow access to all authenticated users, and denies for others.
>
> Now my real situation is, i have around 7 groups in ISA, which should be available in the Squid Proxy also. When i tried to setup this one, with my previous experience in LDAP + SAMBA + Squid (all servers on Linux), it is not working for this ADS environment.
>
> The following one worked for me...
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow all AuthorizedUsers
>
> This is allowing all authenticated users.
>
> But i need to do it with 5 ADS groups, not just like above. The following are my groups.
>
> Seniors
> Engineers
> guestgroup
> restricted
> parttime
>
> I tried to accomplish the goal with the following (which i am using in SAMBA+LDAP+SQUID completley on Linux environment) ;
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> external_acl_type unix_group %LOGIN /usr/lib/squid/squid_unix_group
>
> acl senior_acl external unix_group senior
> acl engineer_acl external unix_group engineer
> acl restricted_acl external unix_group restricted
> acl guestgroup_acl external unix_group guestgroup
> acl parttime_acl external unix_group parttime
>
> then few access regulations to different groups...
>
> then finally...
>
> http_access allow senior_acl
> http_access allow engineer_acl
> http_access allow restricted_acl
> http_access allow guestgroup_acl
> http_access allow parttime_acl
>
> http_access deny all
>
>
>
>
> Any help is really appreciated!!!
>
>

Try being case-sensitive in the group names. The ones you configured
Squid with do not match the ones you detailed as example. Assuming both
were correct they may be mis-matched because 'S' is not 's' etc.

Try also with this as the first of the auth ACL:
   acl AuthorizedUsers proxy_auth REQUIRED
   http_access deny !AuthorizedUsers

it will force a login if none is supplied.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13
Received on Sun Aug 09 2009 - 02:28:54 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 09 2009 - 12:00:03 MDT