Re: [squid-users] integrating squid/linux with windows 2003 domain controller and active directory

From: Dave Augustus <davea@dont-contact.us>
Date: Wed, 08 Sep 2004 13:20:15 -0500

Hello N.N.

The only thing here a little special is the group requirements but the
rest is pretty straightforward:

You need:
krb-1.31 or newer
samba-3
squid-2.5 stable

After compiling each of these, you use the ntlm_auth that comes with
samba and add the squid server to the AD.

Then you configure squid to proxy_auth the users with the AD.

Finally, you add filters to the squid.conf based on group membership.

If you need more details, let me know but everything you are asking for,
I believe is entirely do-able with Squid.

I have 2 squid servers running for about 6 months and they have been
pretty maintenance-free once I got them authenticating with the AD.

--
Dave
On Wed, 2004-09-08 at 03:20, narancs wrote:
> Dear All,
> 
> We have this situation:
> 
> 1. internet proxy for a company is a suse 9.0 linux dist with squid-2.5.STABLE3-110
> 2. proxy authentication is required
> 3. usernames/password should be taken from the company's windows' active directory
> 4. there are three groups of users: three different acls are required:
> 	- average joe user can only view some sites based on a list
> 	- leaders can view anything, but only http and https
> 	- sysadmins can ftp, too
> 5. group membership should also be taken from windows
> 6. pre-windows2000 protocols are not enabled because of security policy and
> requirements, maybe this is the reason why msnt_auth doesn't seem to work. On a DC
> that enables NT4's protocols, msnt_auth works.
> 7. both ldap_auth authenticators I couldn't get working, although I have seen the
> ldap tree scheme, maybe I was wrong understanding it.
> 
> My question is:
> - does anybody have experience and tips how to get this working?
> - will ntlm_auth or msnt_auth work at all with w2k or newer when nt4's older ntlm
> and lanman is disabled?
> - can ldap_auth work with active directory?
> - can we use group membership info somehow?
> - is there any way to create a local (open)ldap replica based on the AD?
> - should we use pam_auth and pam_ldap instead? or kerberos?
> 
> I could't find good exaples on google yet, to help us get it right.
> 
> If me and collegaues can't cope with it, we'll have to move back to MS ISA proxy,
> which personally I don't really like.
> 
> thank you very much for your help people!
> with regards
> N.N.
> 

Received on Wed Sep 08 2004 - 12:30:50 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT