Whoops. Change replace that "dc=second" with "dc=first" in the DOMAIN1 part of the script and you'll
understand what I meant. I didn't proof read after making the edits.
Cheers,
Dietrich
D & E Radel wrote:
UK SquidUser (AXA-TECH-UK) wrote:
hi, i'm trying to migrate to a new platform of squid proxy servers using
active directory. I can't seem to find any pointers on configuring
squid/kerberos/samba to use multiple domains for authentication.. i've
configured a test box to point through a single domain using ad fine,
but i'm unsure if i can actually use cross domain authentication... can
anybody point me in the right direction please.... Kev.
TS Data Networks
AXA Tech
I use the following script for ldap authentication from multiple
domains. This should be modifiable for other forms of authentication:
#============================================
#!/bin/sh
# This script checks a username and password provided by squid
# against 2 domains. If the creditials are accepted by either
# domain, output "OK. Otherwise, output "ERR".
# read from stdin until EOF is received
while read INP; do
# Use username and password to authenticate against FIRST domain
DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth -R -b
"dc=first,dc=my,dc=domain,dc=com" -D
"cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w
"admin_password" -f sAMAccountName=%s -h 192.168.1.1`
# User username and password to authenticate against SECOND domain
DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth -R -b
"dc=second,dc=my,dc=domain,dc=com" -D
"cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w
"admin_password" -f sAMAccountName=%s -h 192.168.1.2`
# If username and password is correct for either domain, output "OK"
if [ "$DOMAIN1" == "OK" ]; then
echo "OK"
elif [ "$DOMAIN2" == "OK" ]; then
echo "OK"
else
echo "ERR"
fi
done
#============================================
I then call this from my squid.conf with:
#============================================
# Authenticate against TWO domains using LDAP, not SAMBA
#------------------------------------------------------------
# Uses the custom script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an "OK" or an "ERR" back to Squid.
auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm MyCompany Proxy
auth_param basic credentialsttl 5 hours
#============================================
I hope that this is useful to you.
Cheers,
Dietrich