+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
*nix Thread, Squid authentication in Technical; I now have a squid + dansguardian proxy/filter set up with active directory user authentication. Is it possible for the ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Squid authentication

    I now have a squid + dansguardian proxy/filter set up with active directory user authentication.

    Is it possible for the username and password to authenticate to be picked up automatically rather than them having to enter it into another box in the browser?

    Cheers,
    Tony

  2. #2

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324

    Re: Squid authentication

    Have you joined the server to the domain and does samba auth work from the command line? How are you authenticating through squid?

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    The authentication is working fine. It is done via squid_ldap_group which is part of squid. It is set up as described at http://papercut.biz/kb/Main/Configur...ctiveDirectory

    (Except I only have a deny group and a default 'allow everyone else' acl)

    The machine isn't joined to the domain as the authentication is passed via http so it wouldn't be necessary I woudn't have thought?

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324

    Re: Squid authentication

    Not sure on that score then; we have transparent authentication on our IPCop box (uses squid) and our auth_param uses ntlm rather than LDAP.

    Code:
    auth_param ntlm program /usr/lib/squid/ntlm_auth BBARRINGTON/bbs-svr-001 BBARRINGTON/bbs-svr-002

  5. #5


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196

    Re: Squid authentication

    If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible

  6. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    Ah, I see... I'll give it a try that way instead.

    That makes sense as it would use the NTLM protocol rather than http basic...

    Cheers!

  7. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    Quote Originally Posted by tom_newton
    If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible
    I think I can manage with my config file hacking at the moment I'm here for another 4 years at least so I won't be passing complex systems on to someone else for a while :P

  8. #8

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324

    Re: Squid authentication

    Quote Originally Posted by tom_newton
    If you want it "done for you" in an out-of-the box solution with a nice UI, give us a call - SmoothWall - 0113 3874160. So yes, it is possible
    ... or download IPCop

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    IPCop is no use to me without having to mess around loads - I have a single NIC firewall set-up which I am not able to change so IPCop would need some serious messing in order to get it to play nice.

  10. #10

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324

    Re: Squid authentication

    Ok

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    Ah, that does the job fine. I worked through these 2:

    https://help.ubuntu.com/community/Ac...ryWinbindHowto
    http://wiki.squid-cache.org/SquidFaq...Authentication

    The only difference now is that I can't do a check to see if the user is in a group or not via the AD - which is a shame.

    Does anyone know how to block a single user from having access to the net through squid and ntlm? I'm guessing it will just be an ACL?

  12. #12
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108

    Re: Squid authentication

    Make a banned group and put the ACL up high in the order to say no access to that group.

  13. #13

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    What type of acl is that? What options do I give it?

  14. #14

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Re: Squid authentication

    Ah, I've managed it in 2 different ways now

    First way was by using the ldap group method on its own (and not the ldap auth part).

    The way I'm using now is by using /usr/lib/squid/wbinfo_group.pl as an external ACL program as shown in the example towards the middle of http://linux.ittoolbox.com/groups/te...h-ntlm-729052#

    Now just to rustle up a nice looking 'you can't get online because you've been banned' page.

  15. #15
    Wildebeaste's Avatar
    Join Date
    Oct 2006
    Location
    Nottinghamshire
    Posts
    64
    Thank Post
    12
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Squid authentication

    I've got Squid and Dansguardian working (Fedora Core 6), together with NTLM authentication (it was a very trying experience - designed to drive normal people into the dealth grip of Microsoft I think).

    Now I'd like to be able to block individuals/groups using something similar to 'wbinfo_group.pl'. I've run into some problems though.

    Whenever I try to use of the many, varied and conflicting articles, using wbinfo_group all I get is an authentication dialogue - I've tried localzuk's link.

    Does anyone have a link to an article which is guaranteed, absolutely copper-bottomed, 100% to work?

    I may have to hit something soon.

    P.S Fedora Core 6's bouncing window effects are great.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. squid acl
    By browolf in forum *nix
    Replies: 20
    Last Post: 20th April 2007, 08:55 AM
  2. Squid logs
    By srochford in forum How do you do....it?
    Replies: 12
    Last Post: 13th April 2007, 12:53 PM
  3. Squid and RM proxies
    By HodgeHi in forum Wireless Networks
    Replies: 6
    Last Post: 1st November 2006, 11:02 AM
  4. Squid Screwed
    By Gatt in forum Wireless Networks
    Replies: 11
    Last Post: 10th October 2006, 02:12 PM
  5. URL rewriting with Squid?
    By ChrisH in forum *nix
    Replies: 8
    Last Post: 14th November 2005, 10:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •