On 16/12/10 00:05, webmaster wrote:
Hi Group,
I'm trying to get squid to let everyone through who belongs to a certain
LDAP group without prompting for a password. Do I need an 'auth param
basic program' entry? My configuration works just fine if I check the
password with ldap auth AND the group with squid_ldap_group, but I want
to avoid the prompt for the userid / password and just assume the user
is ok if he/she is in the LDAP group. possible?
Well, to find the group what do you need? usually its the username of
the visitor. Preferrably checked for validity. This is done via
auth_param. If you have another way use that.
Your spec reads like you want to use the fake auth helper. Which
challenges for credentials, but don't verify they are correct.
To start resolving popup problems in auth you need to understand the
prompt/popup is a browser action with nothing to do with Squid or the
specific auth protocol. It occurs when the browser is requried to preset
credentials but cannot find any to send.
This gives you a big pile of clues about how to prevent it:
* storing the credentials in the browser (browser password manager
does this for any auth protocol)
* enabling the client OS to make credentials available to the browser
via a side channel (IDENT, NTLM and Negotiate/Kerberos do this)
* send the browser tokens to send straight back (cookie based auth
systems do this, digest auth does something similar)
Or "the all hack" which prevents Squid challenging for new credentials.
This works find if credentials are guaranteed to be present somehow. But
does cause the ACL rule to bypass if they are not present at all.
The hack looks like:
# some ACL which would normally challenge for credentials
acl auth proxy_auth REQUIRED
http_access allow auth all
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
