Truth Seeker wrote:
Hi Techies,
I am on my way to migrate ISA Proxy Server to Squid Proxy Server, without any downtime. I was able to setup a simple squid server, with Samba, Winbind, Kerberos, to just authenticate users based on the ADS information, and allow access to all authenticated users, and denies for others.
Now my real situation is, i have around 7 groups in ISA, which should be available in the Squid Proxy also. When i tried to setup this one, with my previous experience in LDAP + SAMBA + Squid (all servers on Linux), it is not working for this ADS environment.
The following one worked for me...
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
This is allowing all authenticated users.
But i need to do it with 5 ADS groups, not just like above. The following are my groups.
Seniors
Engineers
guestgroup
restricted
parttime
I tried to accomplish the goal with the following (which i am using in SAMBA+LDAP+SQUID completley on Linux environment) ;
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type unix_group %LOGIN /usr/lib/squid/squid_unix_group
acl senior_acl external unix_group senior
acl engineer_acl external unix_group engineer
acl restricted_acl external unix_group restricted
acl guestgroup_acl external unix_group guestgroup
acl parttime_acl external unix_group parttime
then few access regulations to different groups...
then finally...
http_access allow senior_acl
http_access allow engineer_acl
http_access allow restricted_acl
http_access allow guestgroup_acl
http_access allow parttime_acl
http_access deny all
Any help is really appreciated!!!
Try being case-sensitive in the group names. The ones you configured
Squid with do not match the ones you detailed as example. Assuming both
were correct they may be mis-matched because 'S' is not 's' etc.
Try also with this as the first of the auth ACL:
acl AuthorizedUsers proxy_auth REQUIRED
http_access deny !AuthorizedUsers
it will force a login if none is supplied.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
