Hi Jerome,
At 10.56 26/06/2006, Jerome wrote:
OK Guido !
>You need two components for user authentication /authorization:
>
>- An authentication helper for USER AUTHENTICATION, this could be
win32_auth.exe (basic authentication) or win32_ntlm_auth.exe (NTLM
>authentication)
Why I can't use the squid_ldap_auth.exe for authentification ?
win32_auth is more simple to use in a Windows domain.
I can't use the win32_auth.exe because squid is not on the same server like
my AD... Or I don't understand how win32_auth.exe running... ;-)
The second ... :-)
It's very simple (assuming that your squid machine is MEMBER of your AD):
You must use the "domain\user" notation for the username.
>- An External ACL helper for Windows group based USER AUTHORIZATION, this
could be win32_check_group.exe (native Windows groups)
I have tested win32_check_group.exe in commande line and it work !! OK !
>What you don't need is the local group support of win32_auth.exe.
Have you an example of authentifiaction/authorization with win32_auth.exe or
other for a AD and squidNT running on 2 differents servers ?
Yes:
auth_param basic program c:/squid/libexec/win32_auth.exe
auth_param basic children 2
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G
acl ProxyUsersMember external NT_global_group ProxyUsers
acl password proxy_auth REQUIRED
acl our_networks src 172.30.0.0/16
http_access allow password our_networks ProxyUsersMember
http_access deny all
In the previous example, only the domain users member of the Domain
GLOBAL Group "ProxyUsers" are allowed to use the proxy when the
request comes from the 172.30.0.0/16 subnet.
You need to run Squid on a machine member of the AD Domain: it's a
prerequisite for win32_auth and win32_check_group.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/