>Hi, > I would make the following authentication scheme with squid, if > possible :) [cut] >If an user, member >of domain users and not included in "internet" group logs >into domain, naturally he can't surf (he isn't member of "internet" group); I would, in this case, that a login >mask is presented by the browser, because can >happen that someone have the right username/password (=is >member of "internet" group) and permit the surf to this limited user, without have >to log-off and log-in the domain again with different credentials. >Essentially squid have to do a new membership check for new account nested >in the first -that grants the domain membership but not the faculty to >surf the web. > > >ISA server have this kind of behavior, and if could re-create with squit >it would be pretty nice. ::I know the ISA Server behaviour. :: ::What you asking for, is trigger again an authentication : ::request to the browser when the user authentication is ::correct, but an external acl, or | | Trigger browser auth in the "not correct" case aka "user authenticated in the domain but with no rights to surf the web. ::any other acl, deny the access to Squid. :: ::Some network administrators don't like this because allow ::the change of user credentials even using NTLM nsparent ::authentication schema. ::You can open a feature request on Bugzilla. Basically, all I want is the triggering of IE's login-mask in case of the user isn't member of the "internet" group. I know it may represents a security hole (imagine someone with a keylogger running..."hey, can you please type your username/password in this login mask? I assure, I will not watch what you're typing...") but in my case this feature is mandatory for various reasons...I doubt I can do something to trigger the auth mask if I've an acl that checks the group membership only at logon time. I think I'll open the request on squid's bugzilla. For now, thanks for the great work done for SquidNT, Guido. It works fine :) Eupec --------------------------------------------------------------- Scegli il tuo dominio preferito e attiva la tua email! Da oggi l'eMail di superEva e' ancora piu' veloce e ricca di funzioni! http://webmail.supereva.it/new/ ---------------------------------------------------------------
