Re: [squid-users] squid_ldap_auth - authentication only after 3 try from Pavel Bychykhin on 2013-04-03 (squid-users)

From: Pavel Bychykhin <bychykhin.p.n_at_hts.kh.ua>
Date: Wed, 03 Apr 2013 12:21:45 +0300

I had a similar problem solved it by running a two instance of Squid.
The first instance uses the negotiate_wrapper for GSSAPI and NTLM helpers.
The second one uses basic and digest schemes.
As i understand it, the fact is that the browsers themselves choose what kind scheme to use.
I.e., one browser would prefer the negotiate scheme than basic.
Another browser would use the scheme that is first in the list.

02.04.2013 21:39, Alípio Luiz пишет:
> I have squid configured with kerberos (squid_kerb_auth) to
> authenticate users against Active Directory. The SSO is working well
> for users logged on domain...
>
> For users out of domain, I configured squid_ldap_auth +
> squid_ldap_group. However, the authentication only work after the
> third try of user...
>
> Is there a way to fix that? I want that users put their credentials
> just one time to authentication...
> Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome
>
> May you help me?
> Thanks in advance...
>
> Bellow is what I have in squid.conf (section about authentication):
> #########################################################
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
> HTTP/server.domain.local
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
> "dc=domain,dc=local" -D squid_at_DOMAIN.LOCAL -w "@mypass" -f
> sAMAccountName=%s -h server.domain.local -d
> auth_param basic children 5
> auth_param basic realm Internet Authentication
> auth_param basic credentialsttl 2 hours
> auth_param basic keep_alive off
>
> external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R
> -K -b "dc=domain,dc=local" -D squid_at_DOMAIN.LOCAL -w "@mypass" -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=$
>
> acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado
> acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico
> acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao
> acl INTERNET_Perfil_Padrao_Sociais external memberof
> INTERNET_Perfil_Padrao_Sociais
>
> acl auth proxy_auth REQUIRED
> #########################################################
> --
> Alípio Luiz [Squidy] | Brasil - Cuiabá/MT
> Email/GTalk: alipio.luiz [arroba] gmail.com
> Skype: alipio.luiz
> Linux User #251497
>

-- 
Best regards,
Pavel

Received on Wed Apr 03 2013 - 09:22:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 12:00:13 MDT