Thanks Amos, The hack won't do the job for us. Looks like we'll have to stick with ntlm. h On 15.12.2010 13:00, Amos Jeffries wrote: > On 16/12/10 00:05, webmaster wrote: >> Hi Group, >> I'm trying to get squid to let everyone through who belongs to a certain >> LDAP group without prompting for a password. Do I need an 'auth param >> basic program' entry? My configuration works just fine if I check the >> password with ldap auth AND the group with squid_ldap_group, but I want >> to avoid the prompt for the userid / password and just assume the user >> is ok if he/she is in the LDAP group. possible? > > > Well, to find the group what do you need? usually its the username of > the visitor. Preferrably checked for validity. This is done via > auth_param. If you have another way use that. > > Your spec reads like you want to use the fake auth helper. Which > challenges for credentials, but don't verify they are correct. > > > To start resolving popup problems in auth you need to understand the > prompt/popup is a browser action with nothing to do with Squid or the > specific auth protocol. It occurs when the browser is requried to > preset credentials but cannot find any to send. > > This gives you a big pile of clues about how to prevent it: > * storing the credentials in the browser (browser password manager > does this for any auth protocol) > * enabling the client OS to make credentials available to the browser > via a side channel (IDENT, NTLM and Negotiate/Kerberos do this) > * send the browser tokens to send straight back (cookie based auth > systems do this, digest auth does something similar) > > Or "the all hack" which prevents Squid challenging for new > credentials. This works find if credentials are guaranteed to be > present somehow. But does cause the ACL rule to bypass if they are not > present at all. > The hack looks like: > # some ACL which would normally challenge for credentials > acl auth proxy_auth REQUIRED > http_access allow auth all > > Amos
