On Tue, 19 Oct 2010 09:07:26 -0400, "Jim Moseby" <JMoseby@xxxxxxxxxxxxxxxxxx> wrote: >>>> On 10/18/2010 at 5:33 PM, in message >> On Mon, 18 Oct 2010 11:26:21 -0400, "Jim Moseby" >> <JMoseby@xxxxxxxxxxxxxxxxxx> wrote: >>> I'm setting up squid, and I have auth working against Novell NDS. I'd >>> like to be able to have users authenticate via a form on a page that >>> displays our usage policy, etc rather than the simple username/password >> box >>> that currently pops up. Is this do-able? Any hints? >>> >>> jm > <2f3b80e3d0fb7e45ebb239aa47891ff1@xxxxxxxxxxxxxxxxxx>, Amos Jeffries > <squid3@xxxxxxxxxxxxx> wrote: >> >> This is better known as splash pages in captive portals. >> >> Squid will happily send a custom error page along with the auth >> challenge. >> The way browsers work these days prevents the page being displayed unless >> the auth popup fails. To get real auth the easy way is to create a >> two-step >> process with the AUP page available without auth. Then the acceptance >> link >> going to a place with auth challenge. >> >> Amos > > Thanks for that information. > > A little more information on how I have this going. > > All XP Pro workstations. Novell servers. > > In the Novell login script, I check NDS to see if the user is in an > 'AllowInternet' group. If so, I set the workstations' registry entries for > the proxy server, and to hide the 'Connections' tab so the user can't find > an obvious way to change them back. (Even if they do, outgoing http/s is > blocked at the firewall :) > > Currently, when the user opens his web browser, he is immediately > presented with the auth challenge from squid. > > For your scenario to work, the only way I can think of to make it happen > is to force the users 'home page' to a non-auth page on a local web server > in each user's subnet, and to set 'Bypass proxy server for local addresses' > in the proxy settings. > > Am I on the right track? Thats one way. Or, the basic portal splash: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash The important thing with the usual setup is that requests to the splash page and its resources are allowed without auth. The ACL inside Squid can be quite strict and force them out to a specific cache_peer if you desire that level of control. Amos
