Hi,
I would like to authenticate Active Directory users via LDAP and group membership. My setup seems to work fine except for one little thing.
First here is my config: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 1 minutes
external_acl_type LDAPGROUP %LOGIN /usr/libexec/squid_ldap_group -b "ou=MYCIE,dc=mycie,dc=com" -D "cn=USERNAME,ou=ITS,ou=MYCIE,dc=mycie,dc=com" -w MYPASS -f "(&(samAccountName=%v)(memberOf=cn=%a,ou=ITS,ou=MYCIE,dc=mycie,dc=com))" -p 389 -S -P -d -h 10.64.1.10
acl AXS external LDAPGROUP Internet_access http_access allow AXS all http_access deny all
It works fine, if the user is in the AD group Internet_access, he can browse the internet, if he's not in the group, he can't.
The problem:
The problem is if I modify a user access (remove or add in Internet_access) I need to use "squid -k reconfigure" to apply the changes.
Is there something I can change that wouldn't required a squid reconfigure?
I also seen some post about squid_ldap_auth, does it only support basic auth? Would it solve my problem?
Check out the ttl and negative_ttl on authorisation. You need to set it to something low enough for your changes to become apparent relatively quickly (I use 2 minutes). You set it on the external_acl_type line so check out the squid.conf comments above it.
Regards, Oliver
