On Mon, 1 Nov 2010 17:03:11 -0400, "Kelly, Jack" <Jack.Kelly@xxxxxxxxxxxxxxxxx> wrote: > Hi everyone, > I've successfully set up authentication to my proxy with squid_kerb_auth > to get us away from using basic LDAP authentication for everything. I > used the config guide from the squid-cache wiki (below) which worked > perfectly. > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > > One thing I'd like to do is continue using LDAP Groups and/or > Organizational Units to grant permissions to certain websites. So my > question is in two parts: > > Is there a way to use squid_ldap_auth such that it will only prompt for > credentials when you try to visit a certain website? (Previously I've > had it set up so it would prompt you right when the browser opens.) This is merely a matter of ACL organization. http_access (and other *_access lines) are tested left-to-right top-to-bottom. So place the group ACL on the end of a line which starts by testing the website with a dstdomain ACL. acl foo dstdomain .example.com acl people external ldapGroups ... http_access deny foo !people ... > > Alternatively: Is there a straightforward equivalent to squid_ldap_group > when using Kerberos authentication? "squid_ldap_group -K" strips the Kerberos domain parts from the credentials. Allowing group lookup against NTLM. Markus squid_kerb_auth helper bundles with 3.2 under a slightly changed name. It's available as a stand-alone helper for older Squid from http://sourceforge.net/projects/squidkerbauth/files/ > > Running 3.1.1 on Ubuntu x64, installed from Synaptic. You need an upgrade. If there is not a newer version of squid3 in synaptic (Ubuntu supplies 3.0.STABLE25 and 3.1.6) there are ported source packages for 3.1.9 up at https://launchpad.net/~yadi/+archive/ppa Amos
