Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

From: B <basti@dont-contact.us>
Date: Fri, 26 Aug 2005 14:11:33 +0200

if i get you right, you use properties of the user objects.

my first thought about this was to create organizational units in ad and
restrict "logon locally" for these users in the computer objects. that way
users would not have a rstriction to ip's in them but only the workstations
do.

due to the number of ou's (for every computer there will be one) in the
directory this will only be useful with a limitde number of users and
workstations.

hope this helps.

Quoting D & E Radel <radel@inet.net.nz>:

> Hi there
>
> Squid is authenticating with no problems with our domain via LDAP.
>
> I wish to use the built-in Active Directory account option to restrict
> which computers a user on our domain can log into (i.e. instead of being
> able to log into 'all computers', just their own). If I enable this
> setting, these users no longer access the www through the Squid proxy.
> Obviously there is an option to add other computer names to the list of
> computers that a user can log into (e.g. our squid box).
>
> Our Squid runs on Linux and has not been made a member computer of our
> domain as we are not using winbind or samba. I am not sure how to get
> our Squid box to register its IP in the DNS server on our Domain
> Controller. I manually added a record in the DNS, but only the full
> computer name (including domain name suffix) resolves. There is not
> enough space to type the whole name in, under the Active Directory
> options.
>
> So I am wondering if figuring out whether investigating any of these
> will allow me to still authenticate the users in squid as well as
> restricting their ability to log into various local pcs. Or whether it's
> a waste of time. I am not sure on the specifics of how Squid exactly
> interacts with AD and whether or not this is possible.
>
> The easiest solution is not to restrict what computers our users can log
> into. But, I'd like to figure out if it's possible to restrict them and
> still have squid authenticate them.
>
> Any tips or ideas greatly appreciated. Many thanks in advance. :-)
> D.Radel.
>
>

-

b .
Received on Fri Aug 26 2005 - 06:11:34 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT