Re: [squid-users] Squid for windows authentication against Active Directory from Amos Jeffries on 2011-05-25 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 25 May 2011 19:33:26 +1200

On 25/05/11 18:39, Julian Zoellner wrote:
> hello all,
>
> in the last days i tried to setup the Squid for windows 2.7.STABLE7 with authentication against a Active Directory Group "Internet". For this is used the folloing HowTo:
> http://www.papercut.com/kb/Main/InstallingAndConfiguringSquidNTProxy
>

Please use 2.7.STABLE9 at the very least. 2.7 as a whole is aging and
deprecated, we support 2.7.STABLE9 only until all its useful features
are ported to 3.x series.

> So my squid.conf looks like this:
>
> http_port 3128
> external_acl_type win_domain_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -d -G
> acl Inet external win_domain_group MY-DOMAIN/Groups/Internet
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localnet src 10.0.0.0/13
> acl SSL_ports port 443 563 10000
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl CONNECT method CONNECT
>
> http_access allow manager localnet
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow Inet
>
> http_access deny all
> never_direct allow all
> icp_access allow all
>
>
> After starting up the squid service i get the following reply from my helper:
> /mswin_check_ad_group.exe[3692]: Member of Domain MY-DOMAIN
> /mswin_check_ad_group.exe[3692]: Into forest MY.DOMAIN
> /mswin_check_ad_group.exe[3692]: External ACL win32 group helper build Mar 13 2010, 14:16:45 starting up...
> /mswin_check_ad_group.exe[3692]: Domain Global group mode enabled using 'MY-DOMAIN' as default domain.
>
> the last entry in my cache.log is:
> 2011/05/25 08:03:13| storeLateRelease: released 0 objects
>
> when i try to connect i always get "Cache Access Denied" errorpage.
>
> can please someone help me setting this up?

Firstly, remove the never_direct line.

Then follow the instructions in that tutorial about how to setup
authentication...

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5

acl loggedIn proxy_auth REQUIRED
http_access deny !loggedIn

The part you followed begins "The next step is "... which is a clear
indication that it depends on the earlier parts which were skipped.

NP: the bits they have in that config about "localnet" are broken and
have never worked as described.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Wed May 25 2011 - 07:33:33 MDT

This archive was generated by hypermail 2.2.0 : Wed May 25 2011 - 12:00:03 MDT