Re: [squid-users] Kerb auth with LDAP groups

From: Amos Jeffries <>
Date: Mon, 01 Nov 2010 22:16:53 +0000

On Mon, 1 Nov 2010 17:03:11 -0400, "Kelly, Jack"
<> wrote:
> Hi everyone,
> I've successfully set up authentication to my proxy with squid_kerb_auth
> to get us away from using basic LDAP authentication for everything. I
> used the config guide from the squid-cache wiki (below) which worked
> perfectly.
> One thing I'd like to do is continue using LDAP Groups and/or
> Organizational Units to grant permissions to certain websites. So my
> question is in two parts:
> Is there a way to use squid_ldap_auth such that it will only prompt for
> credentials when you try to visit a certain website? (Previously I've
> had it set up so it would prompt you right when the browser opens.)

This is merely a matter of ACL organization. http_access (and other
*_access lines) are tested left-to-right top-to-bottom. So place the group
ACL on the end of a line which starts by testing the website with a
dstdomain ACL.

  acl foo dstdomain
  acl people external ldapGroups ...
  http_access deny foo !people

> Alternatively: Is there a straightforward equivalent to squid_ldap_group
> when using Kerberos authentication?

"squid_ldap_group -K" strips the Kerberos domain parts from the
credentials. Allowing group lookup against NTLM.

Markus squid_kerb_auth helper bundles with 3.2 under a slightly changed
name. It's available as a stand-alone helper for older Squid from

> Running 3.1.1 on Ubuntu x64, installed from Synaptic.

You need an upgrade. If there is not a newer version of squid3 in synaptic
(Ubuntu supplies 3.0.STABLE25 and 3.1.6) there are ported source packages
for 3.1.9 up at

Received on Mon Nov 01 2010 - 22:17:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT