Anthony McGovern wrote:
Hey All,
I'm a relatively new to Linux and squid. I've only really been using
both for about 2 and a half months now. Apologies as I'm sure this has
probably been asked before.
I have an ubuntu server (6.06) with apache 2.2.6 compiled, and running
on the box. I also have squid 2.6, complied and running fine. a few days
ago thanks to browsing many many forms I've also figured out how to get
my squid proxy server to authenticate Via LDAP so when a user opens a
web browser they have to type there LDAP Logon details to use the
Internet.
Good so far...
I've been asked by the powers that be, can we now make the proxy server
"invisible". what we want is when a user opens a web browser it will
still use their LDAP logon details to authentication but with no users
intervention at all.
Oof. The only wide-spread browser-supported automatic proxy
authentication method is NTLM. And for that you need a Windows domain.
IE. from the users perspective they open a web browser and they can
browse the web but in the background when they open the browser the
squid proxy server automatically authenticates them against their LDAP
details. The reason for this is i work in a college so we want to make
the proxy server as seamless and "invisible" as possible to all staff
and students. If they don't know the proxy server is there they wont try
to bypass it.
Perhaps your best bet is to use the session helper (try "man
squid_session" on your proxy, or see
http://linuxreviews.org/man/squid_session/) to redirect users to a log
in page where you can display your acceptable use policy (which
potentially includes penalties for bypassing the proxy). That way, it
will be less obvious that a proxy is used, but you get authentication
details in the log files.
I've asked the "Internet guru" (google) to find me an answer and the
closest thing I've come up with was a website getting using perl scripts
to authenticate against LDAP but im sure the perl script was written for
novell. This is the website:
http://www.novell.com/coolsolutions/feature/17777.html
Well, that seems to rely on the fact that an IP address is associated
with a login for some period of time. This is by no means a Novell
specific trick. It should be possible to parse the LDAP log to find out
what IP a given user has authenticated from (for some other application)
and then populate a text file or database table with that information.
But I haven't really come up with much sofar. I've also had a look on
the FAQ list and the mailing list archive for similar questions
regarding this but I couldn't find anything about it.
I'd be really really grateful for any help
Thanks a mill
Anthony
Chris
