Squid authentication

[localzuk]

I now have a squid + dansguardian proxy/filter set up with active directory user authentication.

Is it possible for the username and password to authenticate to be picked up automatically rather than them having to enter it into another box in the browser?

Cheers,
Tony

[webman]

Have you joined the server to the domain and does samba auth work from the command line? How are you authenticating through squid?

[localzuk]

The authentication is working fine. It is done via squid_ldap_group which is part of squid. It is set up as described at http://papercut.biz/kb/Main/Configur...ctiveDirectory

(Except I only have a deny group and a default 'allow everyone else' acl)

The machine isn't joined to the domain as the authentication is passed via http so it wouldn't be necessary I woudn't have thought?

[webman]

Not sure on that score then; we have transparent authentication on our IPCop box (uses squid) and our auth_param uses ntlm rather than LDAP.

Code:

auth_param ntlm program /usr/lib/squid/ntlm_auth BBARRINGTON/bbs-svr-001 BBARRINGTON/bbs-svr-002

[tom_newton]

If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible

[localzuk]

Ah, I see... I'll give it a try that way instead.

That makes sense as it would use the NTLM protocol rather than http basic...

Cheers!

[localzuk]

If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible

I think I can manage with my config file hacking at the moment I'm here for another 4 years at least so I won't be passing complex systems on to someone else for a while :P

[webman]

If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible

... or download IPCop

[localzuk]

IPCop is no use to me without having to mess around loads - I have a single NIC firewall set-up which I am not able to change so IPCop would need some serious messing in order to get it to play nice.

[webman]

Ok

[localzuk]

Ah, that does the job fine. I worked through these 2:

https://help.ubuntu.com/community/Ac...ryWinbindHowto
http://wiki.squid-cache.org/SquidFaq...Authentication

The only difference now is that I can't do a check to see if the user is in a group or not via the AD - which is a shame.

Does anyone know how to block a single user from having access to the net through squid and ntlm? I'm guessing it will just be an ACL?

[ChrisH]

Make a banned group and put the ACL up high in the order to say no access to that group.

[localzuk]

What type of acl is that? What options do I give it?

[localzuk]

Ah, I've managed it in 2 different ways now

First way was by using the ldap group method on its own (and not the ldap auth part).

The way I'm using now is by using /usr/lib/squid/wbinfo_group.pl as an external ACL program as shown in the example towards the middle of http://linux.ittoolbox.com/groups/te...h-ntlm-729052#

Now just to rustle up a nice looking 'you can't get online because you've been banned' page.

[Wildebeaste]

I've got Squid and Dansguardian working (Fedora Core 6), together with NTLM authentication (it was a very trying experience - designed to drive normal people into the dealth grip of Microsoft I think).

Now I'd like to be able to block individuals/groups using something similar to 'wbinfo_group.pl'. I've run into some problems though.

Whenever I try to use of the many, varied and conflicting articles, using wbinfo_group all I get is an authentication dialogue - I've tried localzuk's link.

Does anyone have a link to an article which is guaranteed, absolutely copper-bottomed, 100% to work?

I may have to hit something soon.

P.S Fedora Core 6's bouncing window effects are great.