Hi Erwann,
Sorry I forgot to specify that I have got an http_access rule below which does work, I can authenticate when using only the username and password in AD but not when using domain\username.
http_access allow InetAccess
Clayton York
-----Original Message-----
From: Erwann PENCREACH [mailto:erwann.pencreach_at_ch-chaumont.fr]
Sent: Friday, July 10, 2009 1:38 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group
Hi,
there is no access rule below
You need at least one to grant or deny access
for instance this is one of mine :
####
external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh
acl isok external loggeduser
http_access allow isok
###
where /squid_script_path/loggeduser_acl.sh
get uid of the user logged on %SRC (ask samba to tell), check acces type to the internet defined in a ldap directory
then return OK or KO depending on the url and the effective rights
Clayton York a écrit :
> Hi All,
>
>
> I am a newbie to Linux and squid and require some assistance please.
>
> I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory.
> I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails.
>
> Please find my squid authentication configuration below.
>
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216
> auth_param basic children 5
> auth_param basic realm Your Organisation Name
> auth_param basic credentialsttl 1 hour
>
>
> external_acl_type InetGroup ttl=60 %LOGIN
> /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za"
> -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w
> "password" -f "(&(objectclass=person)(sAMAccountName=%v)
> (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h
> 10.3.1.216
>
>
> acl InetAccess external InetGroup SquidUsersAllow
>
>
> Please if anyone has any insight into what I might be missing please let me know.
>
>
> Thank you,
>
> Clayton York
> --
> Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour.
> Contactez votre administrateur pour plus de renseignement.
> postmaster_at_ch-chaumont.fr
-- Ce courrier ˙lectronique a ˙t˙ v˙rifi˙ et est exempt de virus connus ˙ ce jour. Contactez votre administrateur pour plus de renseignement. postmaster_at_ch-chaumont.frReceived on Fri Jul 10 2009 - 11:55:24 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT