Thanks Guido ! It work fine.... But I'm on a test machine. In production, the server will not be on the AD domain.... So I can't use the win32 program... :( Do you know the ldap authentification ? Thanks ! Jérôme -----Message d'origine----- De : Serassio Guido [mailto:guido.serassio@xxxxxxxxxxxxxxxxx] Envoyé : lundi 26 juin 2006 11:59 À : Jerome; 'Henrik Nordstrom' Cc : squid-users@xxxxxxxxxxxxxxx Objet : RE: Pb ldap with SquidNT Hi Jerome, At 10.56 26/06/2006, Jerome wrote: >OK Guido ! > > >You need two components for user authentication /authorization: > > > >- An authentication helper for USER AUTHENTICATION, this could be >win32_auth.exe (basic authentication) or win32_ntlm_auth.exe (NTLM > >authentication) > >Why I can't use the squid_ldap_auth.exe for authentification ? win32_auth is more simple to use in a Windows domain. >I can't use the win32_auth.exe because squid is not on the same server >like my AD... Or I don't understand how win32_auth.exe running... ;-) The second ... :-) It's very simple (assuming that your squid machine is MEMBER of your AD): You must use the "domain\user" notation for the username. > >- An External ACL helper for Windows group based USER AUTHORIZATION, > >this >could be win32_check_group.exe (native Windows groups) > >I have tested win32_check_group.exe in commande line and it work !! OK ! > > >What you don't need is the local group support of win32_auth.exe. > >Have you an example of authentifiaction/authorization with >win32_auth.exe or other for a AD and squidNT running on 2 differents servers ? Yes: auth_param basic program c:/squid/libexec/win32_auth.exe auth_param basic children 2 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G acl ProxyUsersMember external NT_global_group ProxyUsers acl password proxy_auth REQUIRED acl our_networks src 172.30.0.0/16 http_access allow password our_networks ProxyUsersMember http_access deny all In the previous example, only the domain users member of the Domain GLOBAL Group "ProxyUsers" are allowed to use the proxy when the request comes from the 172.30.0.0/16 subnet. You need to run Squid on a machine member of the AD Domain: it's a prerequisite for win32_auth and win32_check_group. Regards Guido - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/