2010/8/16 Amos Jeffries <squid3@xxxxxxxxxxxxx> > > Ricpelo wrote: >> >> Hi! I'm trying to set up the following configuration: >> >> Client => Squid A => DansGuardian => Squid B => Internet >> >> Squid A does Ident authentication, and then forwards the request to the >> DansGuardian with the following line in its /etc/squid/squid.conf: >> >> cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default >> login=*:foobar >> >> where 192.168.0.1:8080 is the DansGuardian's IP address and port. >> >> Squid A correctly logs the Client's username in its >> /var/log/squid/access.log file, which it's great. However, DansGuardian >> doesn't log the username in /var/log/dansguardian/access.log. >> >> When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then >> DansGuardian logs "proxy" username into their logs, instead of the correct >> user name. If I use another authplugin (proxy-basic, proxy-digest, >> proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their >> log files. >> >> Is there a way to get DansGuardian logs the right username in their logs, as >> Squid does? Is Squid giving the wrong username to DansGuardian? May I fix >> the Squid's configuration? >> >> Thank you very much in advance, >> >> Ricardo. > > > To receive usernames from Squid-A the correct DansGuardian the module is probably that "proxy-basic" one. Most Squid still passes login= credentials as Basic protocol auth headers. (Only the latest releases allow Negotiate as well). > > I think you will find the problem is that IDENT is not a full authentication scheme. So the nickname does not get passed on as one in the HTTP headers. Just logged and permitted in ACL tests. > > Squid will sort of trust an external_acl_type helper to send back usernames for passing out. So you can build a work-around helper which takes the IDENT nickname as input parameter and returns "OK user=" and the received IDENT nickname. Thank you very much! Your solution worked like a charm :). Cheers, Ricardo.
