Search squid archive

Re: Dual Level Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/03/11 18:42, Go Wow wrote:

Hi All,

  I have implemented the AD authentication with squid3. I would like to
add another level of authentication which should be local to unix box
something like ncsa. When AD authentication fails then it should
switch to other authentication and even if it fails then deny the
packet.

In squid, when I define

auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd
auth_param basic program /usr/lib/squid_ldap_auth ...

the bottom line is configured by initiating the helper programs and
the top line is ignored. If I interchange the above lines then again
the bottom program is initiated and top one is ignored.


Yes. You can only define each authentication type once.
Squid just hands every Basic auth header it gets over to a helper to get a yes/no answer for use in ACLs. It is up to that helper and the backend authentication system it uses to anything like failover, checking multiple sources etc. 



Can someone guide me how to create the dual level authen.
* Use two different types of authentication, ordered by your preference. Then hope that the browser agrees with that preference because all you are doing is offering auth types. The client browser chooses which one is used.
* use an authentication backend which supports checking credentials against multiple sources. ie PAM or similar.
* write your own wrapper script to receive data from Squid and test both data sources. Passing the overall result back to Squid. 



I read the multiple services authentication FAQ on
http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources
but couldn't understand fully. I understood myacl.pl is used for
authentication but how I do define username and password for users
using this method?
This example is about enforcing strict controls over which background authentication mechanism is used for any given client IP.
You *could* use it, however for trying both systems with failover it is simpler and more efficient to write an authenticator that does it. That example is only needed because the IP is not sent to basic auth in some squid versions. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux