Hi
i use ntlm/winbind for authenticate my user.
my conf:
=====================================================
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type AD_Group concurrency=15 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
acl dmz_network src 10.216.1.0/24 http_access allow dmz_network
acl AllowedADUsers external AD_Group "/etc/squid/allowedntgroups" acl Winbind proxy_auth REQUIRED
http_access allow AllowedADUsers http_access deny !AllowedADUsers http_access deny !Winbind
http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports =====================================================
That's work's but i want know if i can:
1- Actually, when the user are not into a internet group (specified un allowedntgroups)
squid sent a bow for know new login/pass and after he put a "Cache Access Denied" page.
Itr's possible that after see that the user are not into a internet group, he don't want login/pass
and put a specific html page or gif with "Access Denied" ?
and it's possible that user not in good groups don't have a "cache" ? (if the admin change
group, the user are immediatly Ok)
2- I want that the user authentified in "Winbind" but not into a good groups can going to
2 or 3 site, i have put :
acl allow_url dstdomain .pagesjaunes.fr phibee.net
http_access allow allow_url
but that's don't work .. and one of this site put gif located into another web address ...
it's possible says "pagesjaunes.fr" + html gift request ?
Thanks for your help