2009/7/28 Amos Jeffries <squid3_at_treenet.co.nz>:
> Harley Jackson Willmott wrote:
>>
>> 2009/7/27 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
>>> <open.harley_at_gmail.com> wrote:
>>>>
>>>> Hey all.
>>>>
>>>> I've done lots of searching and haven't been able to find examples of
>>>> this particular scenario so I'm putting it to you guys for help.
>>>>
>>>> Basically, my boss has me setting up a Squid server for our company's
>>>> primarily Microsoft-based network (We use Active Directory). We've
>>>> already got a proxy server set up running Webmarshal. Webmarshal takes
>>>> care of all the filtering stuff based on Active Directory membership.
>>>>
>>>> I'm implementing a Squid server to both cache (obviously) and to
>>>> throttle certain users using delay pools.
>>>>
>>>> The original plan was to have Squid in front of Webmarshal, which
>>>> means Squid needs to be able to pass the AD credentials to Webmarshal.
>>>> The server itself is running Ubuntu 9.04 Server with
>>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
>>>> AD domain through Likewise-Open. I'd like to create ACLs based on
>>>> user/group membership in AD, but IPs are fine if that isn't possible.
>>>> The main thing is that I -need- the credentials passed to Webmarshal
>>>> so that the user isn't prompted to enter their username and password
>>>> into their browser (this is how it acts prior to pointing it to
>>>> Squid).
>>>>
>>>> Is this possible with my version of Squid? I've been trying to follow
>>>> examples and documentation on the web, but frequently run into
>>>> conflicting and/or outdated information. If so, can someone help me
>>>> out with an example or something? If not, should I just be putting
>>>> Squid behind Webmarshal?
>>>
>>> Behind would be the quickest fix.
>>>
>>> Or you could go the whole way and configure Squid AD authentication with
>>> groups access control to completely replace WebMarshall. Squid bundles a
>>> few external ACL helpers that check group access. The rest is up to how
>>> you
>>> set what access controls.
>>>
>>> Amos
>>>
>>>
>>
>> Thanks, Amos, I mulled it over a bit and talked to the boss and we've
>> put Squid in front of Webmarshal
>>
>> I got Squid up and running but was getting a massive headache trying
>> to make it pass credentials to Webmarshal. The problem was revealed to
>> me by another thread on this mailing list that mentioned this would
>> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
>> and it passes credentials to Webmarshal fine now! Delay pools are
>> working great too (it's funny being happy about seeing the internet
>> moving slowly)
>> However, I'm faced with another problem. I still need to set up ACLs
>> in Squid that are based on Active Directory groups. The box is in our
>> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
>> ntlm_auth all work flawlessly.
>> Unfortunately, after I add the lines for ntlm authentication, my
>> browser (even IE) prompts me for username and password a few times and
>> then sends me to a Cache Access Denied page. My access.log also does
>> not show any usernames/groups.
>>
>> I've played around with the lines a bit but here is how they stand at
>> the moment:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive on
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm mushmusic
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> acl authedusers proxy_auth REQUIRED
>> http_access allow authedusers
>>
>> Any advice?
>> Cheers :)
>
> You also need persistent connections enabled, and connection-auth= flags on
> any cache_peer lines.
>
> http://www.squid-cache.org/Versions/v2/2.7/cfgman/
> See these settings:
> * client_persistent_connections
> * server_persistent_connections
> * persistent_connection_after_error
> * detect_broken_pconn
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
> Current Beta Squid 3.1.0.12
>
Thanks again! I managed to get ntlm_auth working, with ACLs based on
the user's AD groups to decide different bucket sizes and speeds
without the browser prompting.
I had disabled the passing of credentials to Webmarshal beforehand to
isolate what I was working on and now that I've gotten ntlm_auth
working, I re-enabled it. Unfortunately, I am prompted for credentials
again. This time, however, entering the credentials seem to work (as
opposed to just prompting me over and over again before).
If I'm _only_ passing credentials or _only_ authenticating for Squid,
then everything works swimmingly. However, having both at once causes
it to prompt the user at the browser. Can I only have one or the other
or is there a solution that allows Squid to authenticate as well as
pass creds to Webmarshal?
Cheers
Harley
Received on Wed Jul 29 2009 - 05:14:32 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT