Re: [squid-users] Squid and NTLM using require_membership_of stills prompts for username

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 15 Dec 2007 02:43:08 +1300

Adrian Chadd wrote:
> On Fri, Dec 14, 2007, cuchulain 78 wrote:
>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --require-membership-of=groupname
>>
>> However if a user who isnt a member of this group tries to browse, they get
>> prompted for a username and password. Is there any way to disable this login
>> box and forward them to the standard squid denied page.
>>
>> Since I dont know with program pops up the login bix I actually dont know if
>> this is squid or dansguardian related.
>
> I believe its part and parcel of the authentication process. Squid sends
> an authentication challenge; they send their reply; Squid then says "nup!"
> and asks for it to try authenticating again. The browser then pops up a
> box asking for alternative credentials.

While technically exactly true. There is a workaround that I have been
itching to try out. If you are up for an experiment cuchulain 78!

According to Henrik way back; the box only pops up if auth is the last
ACL on the line.
Along with that is my own experiences hacking deny_info for nefarous
purposes :-)

So ... creating a new ACL containing 'all' ... placing it at the EOL and
adding a matching deny_info ... should in my mind do what is wanted here.

The config would look like this:

# skipping the actual auth_param bits ... ...

# and the bits checking whatever web-login ...

acl ntmlAuth auth REQUIRED
acl altAuth src all
deny_into htto://page.somewhere.invalid/index.html altAuth
http_access deny !ntlmAuth altAuth

Anyone keen to try that out? Could you please let me know the resulting
success/failure.

Amos
Received on Fri Dec 14 2007 - 06:43:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST