AW: [squid-users] NTLM authentication, but not for everyone

From: <Markus.Rietzler_at_rzf.fin-nrw.de>
Date: Thu, 17 Jul 2008 13:42:28 +0200

>
>Rich West wrote:
>>
>> I added NTLM authentication (via winbind back to AD), and that works
>> great. I can see the user names populated in the output. However, I
>> cannot seem to get it to allow traffic through for those
>users that the
>> NTLM authentication fails on.
>>
>> In other words, I have:
>> ---squid.conf snippet---
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 5
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Web Proxy Server
>> auth_param basic credentialsttl 24 hours
>> ...
>
>The simplest way around this is to setup basic authentication as a
>backup to NTLM (configured after NTLM auth config). And give those
>people a special type of user/pass for internet access.
>

but this means, that there must be a special user in the AD domain to
work. so everyone can use that "surfer" account.

you have uses auth ntlm and auth basic. that means that you will first
try to do ntlm auth against AD and if this fails you do basic auth also
against AD. you could change the basic auth to do auth against a local
passwd-file, than you could add accounts with id/password who are
allowed to access the squid. if a person is not member of AD nor in the
passwd-list then he is not allowed to access - at least if he doesn't
know one id/pass from passwd...

markus
Received on Thu Jul 17 2008 - 11:42:33 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 17 2008 - 12:00:03 MDT