Hi guys,
Am having a system running squid that authenticates users from the
Active Directory. Squid is version 2.6 STABLE6 running in CentOS 5.1.
It authenticates users according to the various groups that have been
defined in the Active Directory. If i run squid directly, it
authenticates users according to their groups but in the case of
implementing Dansguardian which is to act as a guard then the
authentication of groups fail miserably. but if i just authenticate
everyone from the AD, it works well only that it doesnt log the
usernames but the IP addresses of the users.
#MY CHANGES-------------------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
##END HERE--------------------------------------------------------------------
external_acl_type wbinfo_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl
##MY CHANGES-----------------------
acl my_network src 10.1.0.0/20
acl ntlm_users proxy_auth REQUIRED
acl usergroup1 external wbinfo_group_helper internetusers
acl group1 external wbinfo_group_helper directorsinternet
seniormanagers itinternet auditandsystem
acl group2 external wbinfo_group_helper hrinternet financeinternet
citinternet guardinginternet securitysystems salesandmarketing
transportinternet
acl user1_ports port 21 25 80 110 443 10000
acl user2_ports port 21 25 80 110 443
acl user3 port 80 443
http_access allow usergroup1
http_access allow my_network
http_access allow localhost
http_access allow ntlm_users
#http_access deny manager
http_access allow group1 user1_ports
http_access allow group2 user2_ports
# And finally deny all other access to this proxy
http_access allow SSL_ports
http_access deny !Safe_ports
http_access deny all
##---------------------------------
for Dansguardian
filterip = 10.1.0.81
# the port that DansGuardian listens to.
filterport = 8080
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 10.1.0.81
# the port DansGuardian connects to proxy on
proxyport = 3128
# Auth plugins
# These replace the usernameidmethod* options in previous versions. They
# handle the extraction of client usernames from various sources, such as
# Proxy-Authorisation headers and ident servers, enabling requests to be
# handled according to the settings of the user's filter group.
# Multiple plugins can be specified, and will be queried in order until one
# of them either finds a username or throws an error. For example, if Squid
# is configured with both NTLM and Basic auth enabled, and both the
'proxy-basic'
# and 'proxy-ntlm' auth plugins are enabled here, then clients which
do not support
# NTLM can fall back to Basic without sacrificing access rights.
#
# If you do not use multiple filter groups, you need not specify this option.
#
#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf'
authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf'
These are my acls'. They work in my small testing environment but when
i try to implement them in the clients environment, they just refuse
to work. Could someone please help.
Received on Wed Dec 17 2008 - 09:05:47 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 19 2008 - 12:00:02 MST