Re: [squid-users] Dual Level Authentication from Amos Jeffries on 2011-03-08 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Mar 2011 20:06:24 +1300

On 08/03/11 18:42, Go Wow wrote:
> Hi All,
>
> I have implemented the AD authentication with squid3. I would like to
> add another level of authentication which should be local to unix box
> something like ncsa. When AD authentication fails then it should
> switch to other authentication and even if it fails then deny the
> packet.
>
> In squid, when I define
>
> auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd
> auth_param basic program /usr/lib/squid_ldap_auth ...
>
> the bottom line is configured by initiating the helper programs and
> the top line is ignored. If I interchange the above lines then again
> the bottom program is initiated and top one is ignored.

Yes. You can only define each authentication type once.

Squid just hands every Basic auth header it gets over to a helper to get
a yes/no answer for use in ACLs. It is up to that helper and the backend
authentication system it uses to anything like failover, checking
multiple sources etc.

>
> Can someone guide me how to create the dual level authen.
>

* Use two different types of authentication, ordered by your preference.
Then hope that the browser agrees with that preference because all you
are doing is offering auth types. The client browser chooses which one
is used.

* use an authentication backend which supports checking credentials
against multiple sources. ie PAM or similar.

* write your own wrapper script to receive data from Squid and test both
data sources. Passing the overall result back to Squid.

> I read the multiple services authentication FAQ on
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources
> but couldn't understand fully. I understood myacl.pl is used for
> authentication but how I do define username and password for users
> using this method?

This example is about enforcing strict controls over which background
authentication mechanism is used for any given client IP.

You *could* use it, however for trying both systems with failover it is
simpler and more efficient to write an authenticator that does it. That
example is only needed because the IP is not sent to basic auth in some
squid versions.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Tue Mar 08 2011 - 07:06:38 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 08 2011 - 12:00:01 MST