Hi Markus Thank you. So, do you know, how I have to implement the fallback-mechnism with squid_ldap_auth? For instance, if I deny read-rights for the squid-user to the file /etc/krb5.keytab, I would expect, that the squid_ldap_auth-mechanism would authenticate the user with a password-prompt. But in my case: A password-prompt appears (but not the right one....without the correct realm) and I can enter the correct userid/pw -> no success. If I make a native basic-authentication with squid_ldap_auth (without combination with kerberos), then the authentication works fine. Any hints for the fallback-configuration with squid_ldap_auth? Is there even a way, to have a fallback-mechanism with squid_ldap_auth? Thanks a lot. Kind regards, Tom 2010/8/9 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Tom, > > squid_kerb_ldap does not authenticate a user. It just looks up membership > info and can not replace squid_ldap_auth > > Markus > > "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message > news:AANLkTimYbsVmRsy7a7mhbaAZvfv63WDFUX1i5WD6TcS+@xxxxxxxxxxxxxxxxx >> >> Hi >> >> I've implemented a native kerberos-authentication with squid_kerb_auth >> and squid_kerb_ldap to query ad-group-memberships. This works fine. >> I'm trying to implement a fallback-mechanism with squid_ldap_auth. >> >> But the squid_ldap_auth-fallback is not working. My config looks like >> this: >> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i >> auth_param negotiate children 50 >> auth_param negotiate keep_alive on >> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers" >> acl INTERNET_ACCESS external SQUID_KERB_LDAP >> >> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600 >> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g >> "DenyInternetUsers" >> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP >> >> >> # LDAP-Fallback >> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R >> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f >> >> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))" >> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx >> auth_param basic children 20 >> auth_param basic realm "Internet Access" >> auth_param basic credentialsttl 2 hour >> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED >> >> http_access deny DENY_INTERNET_ACCESS >> http_access allow INTERNET_ACCESS >> http_access allow INTERNET_ACCESS_LDAP >> >> >> >> How do I have to implement the fallback-ldap? Do I need the >> "external_acl"-directive? Can I realise the fallback-mechanism also >> with squid_kerb_ldap? >> >> Thanks a lot. >> Kind regards, >> Tom >> > > >
