Re: [squid-users] Restricting Authenticated Users

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 24 Feb 2003 22:04:13 +0100

Piece of cake ;-)

If your domain is an AD domain then I would recommend ditching msntauth
and go for LDAP instead, or if you prefer using Windows NT domain
techology to use winbind integration via Samba (see the Squid FAQ for
details).

Squid-2.5 has well evolved support for group based acl controls using
various types of backend user databases such as Window NT Domain, LDAP
(including MSAD and most more/less standard LDAP directories) and many
others with simple scripting.

For instructions on how to set up Samba/winbind for Squid see the Suqid
FAQ.

For instructions on how to set up LDAP authentication see the LDAP
authentication and group tools shipped with current Squid-2.5 nightly
snapshots (what will become 2.5.STABLE2 in a not too distant future).
There is also several posts in the squid-users archives for the last few
months discussing the same topic.

If using LDAP then I strongly recommend experimenting a little with
ldapsearch to get familiar to the LDAP structure of MS AD before looking
into the details of howto configure the Squid LDAP authentication/group
integration. The Squid LDAP tools is generic LDAP tools and some of the
parameters to these can only be understood if there is some
understanding of the MS ActiveDirectory LDAP structure..

Regards
Henrik

Scott Wrosch wrote:

> What we have is a proxy that is set up to authenticate to the Windows
> 2000 domain using msntauth. That works fabulously.
>
> What my original plan to do was to set it up so that the domains that
> the customer service people need access to, they could get to it
> unrestricted. Then, they would have to be authenticated in order to
> access anything beyond that. And, using msntauth, they wouldn't be
> allowed to.
>
> However, I have had a monkey wrench thrown into those plans, which would
> have been simple and worked well. What now needs to be done is each
> user needs to be put into specific groups. Those specific groups then
> have varying access needs to specific sites. This could then entail
> multiple users being in multiple groups. It's a huge monkey wrench
> because we have 30+ customer service people, most of them would be
> required to be in different groups.
>
> Now, with that being said, I know ACLs would definitely be involved.
> But, what I'm wondering is if there is any simple way to do this. I
> live by KISS (Keep It Simple, Stupid), and to me, things just got
> extraordinarily un-simple. So, I'm looking for any hints, tips,
> suggestions, advice, etc etc etc...
>
> This isn't something that I'm particularly thrilled about, but I don't
> make the decisions. I've been going through the squid.conf file trying
> to figure out possible ways of doing this, but nothing is just coming
> out, slapping me in the face, and saying this is the way to do it!
>
> Thanks in advance for any assistance anyone can offer!
>
> Regards,
>
> Scott Wrosch
> desk 248.333.7700 x227
> email swrosch@marketingassociates.com
>
> "Our greatest glory is not in never falling
> but in rising every time we fall." -- Confucius
Received on Mon Feb 24 2003 - 14:20:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:35 MST