Hi,
At 23.35 28/03/2005, eupec@xxxxxxxxxxx wrote:
Hi,
I would make the following authentication scheme with squid, if possible :)
My scenario: Windows 2000 Server (that acts as AD domain controller) + SquidNT 2.5.STABLE9 installed on it; domain clients are w98, w2k, wxp with IE 6 SP1. There's a group in AD called "internet", and the members of this group have rights to surf the web.
If a user is member of "internet" group, he logs in the domain and can browse the net -this is very simple to do with win32_check_group.exe helper and appropriate acl, I made it and works fine. If an user, member of domain users and not included in "internet" group logs into domain, naturally he can't surf (he isn't member of "internet" group); I would, in this case, that a login mask is presented by the browser, because can happen that someone have the right username/password (=is member of "internet" group) and permit the surf to this limited user, without have to log-off and log-in the domain again with different credentials. Essentially squid have to do a new membership check for new account nested in the first -that grants the domain membership but not the faculty to surf the web.
ISA server have this kind of behavior, and if could re-create with squit it would be pretty nice.
I know the ISA Server behaviour.
What you asking for, is trigger again an authentication request to the browser when the user authentication is correct, but an external acl, or any other acl, deny the access to Squid.
Some network administrators don't like this because allow the change of user credentials even using NTLM transparent authentication schema.
You can open a feature request on Bugzilla.
Regards
Guido
- ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/
