RE: [squid-users] ldap authentication...

From: Chris Perreault <Chris.Perreault@dont-contact.us>
Date: Wed, 14 Jul 2004 07:44:22 -0400

Rick, please respond to the mailing list, not just to me.

Read up on the ACLs. If the destination is signup.com then you can REQUIRE
authentication, or not... !REQUIRED

acl newbies dst signup.com
acl authenticated proxy_auth REQUIRED
http_access allow newbies authenticated

(I think this would work...and if it doesn't that's another reason to post
to the list so others can correct my error and we all learn)

All traffic for their browser is directed (or ends up at) the proxy server.
How will squid know to direct them to this activate account webpage? What
makes a user who has an account vs one who does not different and how will
squid know it? Squid will not know until they either pass/fail an
authentication run. It sounds like you want all failed authentication to end
up on the sign up page. The first-time user would be presented with a logon
box, not know what to do with it, but if failed out three times would end up
on this page. If they didn't try and fail they'd call the helpdesk (you!:))
Better to just send new users to this page in the first place. Once signed
up, as part of this process, they can then end up at the disclaimer page,
and then start browsing the internet.

You want to show the disclaimer page every time they go out to the internet?
Then all traffic from Squid has to end up at this dislaimer page. Now what
does the user do? If they try to go to the internet again they end up at the
disclaimer page again....and again.

Sounds like you want a !REQUIRED....for the single sign up site. This means
if they are told to go to signup.com it won't authenticate them and they can
then sign up. If signup.com is inside the gateway (that you said the proxy
is defined as) then you don't need to worry about the ACL and they will just
go to it on your back end network. In both cases they need to be told go to
signup.com to sign up. Better yet, when they turn in their physicals,
payment for class, etc...have them sign an internet use policy form and keep
that in their file and grant internet access at the same time as their email
account and other accesses are created.

Chris Perreault

-----Original Message-----
From: Rick Whitley [mailto:rickwh@dbu.edu]
Sent: Tuesday, July 13, 2004 8:52 PM
To: Chris Perreault
Subject: RE: [squid-users] ldap authentication...

Hi Chris

Sorry to keep bothering you. Do you have an example of how to pass
non-authenticated traffic through to one site and authenticated through to
another? When the user gets on the network for the first time they will be
non-authenticated and be passed to a site where they can activate there
account. After that he user will be authenticated and needs to be passed to
a site which displays a disclaimer prior to them getting on the internet.
Does this sound fesible?

Thanks again for your help.

rick...
Rom.5:8

>>> Chris Perreault <Chris.Perreault@Wiremold.com> 7/12/2004 2:10:19 PM
>>>
No need to apologize. Often I see someone post something like "I need this"
and then 4-5 posts later someone else finally asks why, and then you see
"ahhh, you just need to do this instead" :)

If all traffic going through the proxy needs to be authenticated, and you
use basic auth, then the users will be presented with a basic auth pop up
box asking for their username and password. You can have an ACL rule that
allows non-authenticated traffic through, to one site, that web page you
mentioned. Alternatively, that website can be inside your network. In that
case the students will access that local webserver for their account setup,
and then head out through the proxy to the internet. Traffic going through
the proxy can be set up so it needs to be authenticated, doing so on another
server first I have not heard of. Giving the new students notification
like:
"welcome to school, to access the internet you need to set up your account
here: www.internal.webserver.com/student/signup.htm" And then have all proxy
traffic that is not authenticated properly be redirected to this site or
some other page that explains why they couldn't get access to the internet.

If the users are already logged into some kind of network, then there are
other methods of authenticating too. Spend some time learning about the ACL
options and read through some of the online documentation. I picked up the
O'reilly book, "Squid the Definitive Guide" and it helped me a lot..as did
scouring the net for information about squid and what we were trying to do.

Chris Perreault

-----Original Message-----
From: Rick Whitley [mailto:rickwh@dbu.edu]
Sent: Monday, July 12, 2004 2:36 PM
To: Chris Perreault
Subject: RE: [squid-users] ldap authentication...

Hi Chris,

Thanks for the reply and I appologize for the generic posting. We are a
university and are setting up a proxy server for the student/dorm internet
access. The goal is to have a student (wired or wireless) hit the network,
and be displayed a web page that will give them the option to activate their
account or if they already have, login and access the internet.

We have dhcp with the gateway pointing to the proxy server. The proxy will
redirect to a web server to display the page. Once they login the proxy will
authenticate them and either reject access or allow access.

Do I have the process right or am I way out in left field?

thanks for taking time to respond to this.

rick...
Rom.5:8

>>> Chris Perreault <Chris.Perreault@Wiremold.com> 7/12/2004 1:09:46
PM
>>>
The FAQ at the www.squid-cache.org site is one place to research this.

When you compile squid you need to have the ldap helper included too.

./configure -h will display all the options

./configure --enable-basic-auth-helpers=LDAP

>From the source code will help. Within the helpers directory you can
drill
down into the LDAP directory and read the help files included there too.

Using your favorite search engine on SQUID LDAP will give you plenty to read
too.

You may also find that stating what you'd like to do, to this list, will
result in responses less generic and more geared towards a solution that
suites your particular needs.

Chris Perreault

-----Original Message-----
From: Rick Whitley [mailto:rickwh@dbu.edu]
Sent: Monday, July 12, 2004 1:23 PM
To: squid-users@squid-cache.org
Subject: [squid-users] ldap authentication...

Hello,

I am new to Squid and would like to know where to find information on
setting up squid to use ldap for authentication. I have read that it is part
of the basic ncsa_auth module but the only examples I see use ncsa_auth with
a passwd file. I'm not asking for anyone to do my job, just tell me where to
find some documentation and examples.

thanks

rick...
Rom.5:8
Received on Wed Jul 14 2004 - 05:45:17 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT