Re: [squid-users] Can't see usernames in logs after enabling NTLM

From: Oliver Hookins <ohookins@dont-contact.us>
Date: Tue, 08 Feb 2005 12:18:49 +1100

Chris Robertson wrote:
>>-----Original Message-----
>>From: Oliver Hookins [mailto:ohookins@gmail.com]
>>Sent: Monday, February 07, 2005 3:34 PM
>>To: Chris Robertson
>>Cc: squid-users@squid-cache.org
>>Subject: Re: [squid-users] Can't see usernames in logs after enabling
>>NTLM
>>
>>
>>Chris Robertson wrote:
>>
>>>If you want all requests to be authenticated first, use "http_access deny
>>>!AuthGroup" at the top. That way any requests from sources that are not
>>>authenticated will be denied and asked for authentication. Requests that
>>>are authenticated will pass on down to the next ACL (not being explicitly
>>>denied, but not explicitly allowed either).
>>
>>The authentication method is just passing through fakeauth to grab
>>usernames anyway so it's not quite authentication as such. But basically
>>we want all requests to pass through fakeauth in order to grab usernames.
>>
>>Then we want to:
>>* allow access to anyone who is authorised by LDAP group
>>* requests that aren't LDAP group authorised but ARE on the SURFING IP
>>ACL list should be allowed
>>* requests that aren't LDAP authorised and aren't from an IP on the
>>SURFING ACL but are to an allowedsite should be allowed
>>* deny everything else
>>
>>http_access allow AuthGroup
>>http_access allow SURFING
>>http_access allow allowedsites
>>http_access deny all
>>
>>Will that do it, and grab authentication details for every request?
>>
>>
>>Thanks,
>>Oliver
>
>
> Here is how I read your setup:
>
> Everyone is prompted for authentication (which is passed to fakeauth_auth,
> and so passes) and the credentials are tested against LDAP (http_access
> allow AuthGroup). If the credentials map to an allowed group the person
> surfs wherever they wish, otherwise the client IP is checked against allowed
> sites. If the client IP is listed in SURFING they are allowed to surf
> wherever they wish, otherwise their destination domain is checked against
> allowedsites. If found, the request is allowed.
>
> So to be denied, it has to be someone not in an authorized LDAP group,
> surfing from a computer not in the SURFING IP range going to a site not
> listed in allowedsites. In any case, all transactions are logged to
> whatever name the surfer provided to the authentication request.
>
> That should about cover it...
>
> Chris
>

Yes that is exactly right. Thanks very much, Chris!

Oliver
Received on Mon Feb 07 2005 - 18:18:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST