Adrian Chadd wrote:
On Fri, Dec 14, 2007, cuchulain 78 wrote:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --require-membership-of=groupname
However if a user who isnt a member of this group tries to browse, they get
prompted for a username and password. Is there any way to disable this login
box and forward them to the standard squid denied page.
Since I dont know with program pops up the login bix I actually dont know if
this is squid or dansguardian related.
I believe its part and parcel of the authentication process. Squid sends
an authentication challenge; they send their reply; Squid then says "nup!"
and asks for it to try authenticating again. The browser then pops up a
box asking for alternative credentials.
While technically exactly true. There is a workaround that I have been
itching to try out. If you are up for an experiment cuchulain 78!
According to Henrik way back; the box only pops up if auth is the last
ACL on the line.
Along with that is my own experiences hacking deny_info for nefarous
purposes :-)
So ... creating a new ACL containing 'all' ... placing it at the EOL and
adding a matching deny_info ... should in my mind do what is wanted here.
The config would look like this:
# skipping the actual auth_param bits ... ...
# and the bits checking whatever web-login ...
acl ntmlAuth auth REQUIRED
acl altAuth src all
deny_into htto://page.somewhere.invalid/index.html altAuth
http_access deny !ntlmAuth altAuth
Anyone keen to try that out? Could you please let me know the resulting
success/failure.
Amos
