On Mon, 5 Sep 2005, Martin Daemen wrote:
I had hope, if I use for example fakeauth, squid could take the well
known username and pass these information on simply way to ldap_group or
something like this. But I found no working setup. Or exist no other
possibility to authenticate user without login prompt than via NTLM ?
NTLM is the only method whereby the browser automatically logs in to the
proxy using the same login details as used for logging in to the Windows
workstation.
fakeauth is a NTLM verifier, accepting any login as valid.
The other authentication schemes only provides automatic login via the
"Save this login" function in your browser login box.
And if this like that, is there any change for squid not to get member
of the domain?
The SMB ntlm helper (Squid ntlm_auth) allows you to query any Windows file
server who is member of the domain to verify the login. But it requires
the proxy to be allowed to reach the SMB port on some Windows server in
the domain.
My 2nd large problem is the sequence of the acces lists. Is it possible
to configure the acces lists in such a way, that if the user tested
without login prompt, is not member of the first group, the login prompt
appears and the username insert by the user is tested against the 2nd AD
group?
Not easily, as the user automatically gets logged in in the first place.
This is possible only if the actual user is not member of any of the
groups, forcing him to log in as some other user (in his browser) to
access the web.
Regards
Henrik
