Re: [squid-users] Why need this for get "auth-sync" between squid and dansguardian? from Amos Jeffries on 2011-04-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 03 Apr 2011 19:22:16 +1200

On 02/04/11 01:12, Fran Márquez wrote:
> I'm modifying the squid.conf file of my proxy server for replace "basic
> auth" for "ntlm auth".

Please consider going straight to Negotiate/Kerberos. NTLM is officially
deprecated and should be avoided where possible.

>
> All work fine in squid, but when I use dansguardian, I've noticed that
> dansguardian doesn't get the username if I remove this lines from
> squid.conf:
>
>
> ------------------------------------------------
> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
> -b "dc=domain" -D "cn=proxy,cn=proxy,dc=domain" -w "proxy" -f
> "(&(objectclass=person)
> (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain))" -h 1.1.1.1
>
> acl ldapLimited external ldap_group notAlowed
> acl ldapTotal external ldap_group alowed
>
> http_access allow ldapTotal all
> ------------------------------------------------
>
> Note: 1.1.1.1 is dc ip address
>
>
> I thought that this lines affects only to basic authentication since it
> already was wrote before I start to implement the NTLM auth.
>
> Anybody can explain me what this lines are doing exactly? I revised the
> ldap groups refered in this lines (ldapLimited and ldapTotal) and it are
> empty.

What those lines do:
external_acl_type using "%LOGIN" require authentication credentials in
order to be tested. These details are required regardless of the result.

So whenever Squid reached that ACL and tries to test it will either use
the credentias given or challenge the browser to present some.

The type of authentication does not matter to Squid when testing the
ACLs. Whatever types you have in your auth_param setup will be used and
sent.

I think the problem is likely that DG does not support NTLM. Or that
your Squid version does not allow one of the many pre-requisits needed
to get (stateful!) NTLM to work over (stateless) HTTP.
These requirements are:
  * pinning client and server connection together for the duration of
*either* TCP link.
  * HTTP/1.1-style persistent server connections
  * HTTP/1.1-style persistent client connections

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Sun Apr 03 2011 - 06:22:27 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 04 2011 - 12:00:01 MDT