[squid-users] Authentication Override

From: Brian Kirk <bekirk@dont-contact.us>
Date: Wed, 2 May 2007 18:41:33 -0400

We have a need for an authentication override for NTLM, for example
there are users that share a computer for access, but the systems is
logged with a generic account to Active Directory. We would like to
know who is going where so the generic account doesn't have Internet
access, but the users have another AD account for Internet only, and
would like to give them the ability to get to the Internet without
having to log out and log back into windows. We have smartfilter
installed so users actually all have access but the default access is
very restricted (fbi.gov, weather.com, etc.), If the users are in our
Standard Internet group then they can get to more, and of course we
have users that have unrestricted that can get to almost everything.
So can we provide a weblink or a form that would allow them to
override the NTLM authentication, or change the credentials from the
browser.

relevant parts of squid.conf:

smartfilter_state on
smartfilter_config /opt/squid/etc/config.txt
smartfilter_userinfo_program /opt/squid/libexec/sf_userinfo -f
/opt/squid/etc/config.txt
smartfilter_userinfo_children 15

auth_param ntlm program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl all src 0.0.0.0/0.0.0.0
never_direct allow all
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
no_cache deny QUERY

http_access allow all AuthorizedUsers
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

Thank you,
Brian
Received on Wed May 02 2007 - 16:41:41 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT