Search squid archive

Re: [squid-users] squid no ntlm_auth for certain IPs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 23 May 2005 10:14 pm, Daniel wrote:
> Hello Squid Users,
>
> I've set up squid using samba and ntlm_auth for user authentication. And
> everything works fine. Users with a valid Active Directory
> authentication can surf the web. Users without such authentication
> can't. just like i intended it to work.
>
> But now i am facing a problem. We have some users within our network who
> work on "non-Active-Directory aware" machines (MAC OS X, Linux, Solaris
> to give them names) now my question is: how can i allow access to the
> proxy cache for this certrain ip addresses (static ones) which those
> clients use? is there a way i let certain IPs simply baypass the
> ntlm_auth authentication?
>
> thanks for any advice!
>
> Daniel

Hi Daniel,

Configure a "basic" authenticator in squid.conf that authenticates with samba 
(winbind etc) then when they open a browser etc, they will be prompted for a 
user name and password.  The user name should be in the for "domain\userid" 
where ""domain" is the active directory domain their account belongs to.

eg (exerpt from my squid.conf):
...
auth_param basic children 5
auth_param basic casesensitive off
auth_param basic realm Tell the user what they are authenticating to
auth_param basic credentialsttl 2 hour
# Next 2 lines are actually 1 in the config - they are wrapped by my mail
# client in this example and indented manually for clarity. :)
auth_param basic program /usr/local/bin/ntlm_auth 
           --helper-protocol=squid-2.5-basic
...
(note the last two line are actually a single line)

We use this "dual-authentication" scheme and it works well - it also means 
that browsers etc, that don't support NTLM authentication are supported.

FWIW, KDE 3.4 and Konqueror now support NTLM (transparent) authentication if 
you configure the default user name and password in KDE's "Control Center" 
under "Internet & Network -> Local Network Browsing".  Once again, you'll 
need to use the "domain\userid" notation here too.  If you don't set up these 
defaults with a valid account, it will "fall-back" to basic-auth.

HTH,

James
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux