>Hi,
> I would make the following authentication scheme with squid, if
> possible :)
[cut]
>If an user, member
>of domain users and not included in "internet" group logs >into domain, naturally he can't surf (he isn't member of "internet" group); I would, in this case, that a login >mask is presented by the browser, because can
>happen that someone have the right username/password (=is >member of "internet" group) and permit the surf to this limited user, without have
>to log-off and log-in the domain again with different credentials.
>Essentially squid have to do a new membership check for new account nested
>in the first -that grants the domain membership but not the faculty to
>surf the web.
>
>
>ISA server have this kind of behavior, and if could re-create with squit
>it would be pretty nice.
::I know the ISA Server behaviour.
::
::What you asking for, is trigger again an authentication :
::request to the browser when the user authentication is
::correct, but an external acl, or
|
|
Trigger browser auth in the "not correct" case aka "user authenticated in the domain but with no rights to surf the web.
::any other acl, deny the access to Squid.
::
::Some network administrators don't like this because allow
::the change of user credentials even using NTLM nsparent
::authentication schema.
::You can open a feature request on Bugzilla.
Basically, all I want is the triggering of IE's login-mask in case of the user isn't member of the "internet" group. I know it may represents a security hole (imagine someone with a keylogger running..."hey, can you please type your username/password in this login mask? I assure, I will not watch what you're typing...") but in my case this feature is mandatory for various reasons...I doubt I can do something to trigger the auth mask if I've an acl that checks the group membership only at logon time.
I think I'll open the request on squid's bugzilla.
For now, thanks for the great work done for SquidNT, Guido.
It works fine :)
Eupec
---------------------------------------------------------------
Scegli il tuo dominio preferito e attiva la tua email! Da oggi
l'eMail di superEva e' ancora piu' veloce e ricca di funzioni!
http://webmail.supereva.it/new/
---------------------------------------------------------------
Received on Tue Mar 29 2005 - 12:21:46 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST