Thanks for the reply. I think I will have to consider PAM. Regards On 8 March 2011 11:06, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 08/03/11 18:42, Go Wow wrote: >> >> Hi All, >> >> I have implemented the AD authentication with squid3. I would like to >> add another level of authentication which should be local to unix box >> something like ncsa. When AD authentication fails then it should >> switch to other authentication and even if it fails then deny the >> packet. >> >> In squid, when I define >> >> auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd >> auth_param basic program /usr/lib/squid_ldap_auth ... >> >> the bottom line is configured by initiating the helper programs and >> the top line is ignored. If I interchange the above lines then again >> the bottom program is initiated and top one is ignored. > > Yes. You can only define each authentication type once. > > Squid just hands every Basic auth header it gets over to a helper to get a > yes/no answer for use in ACLs. It is up to that helper and the backend > authentication system it uses to anything like failover, checking multiple > sources etc. > >> >> Can someone guide me how to create the dual level authen. >> > > > * Use two different types of authentication, ordered by your preference. > Then hope that the browser agrees with that preference because all you are > doing is offering auth types. The client browser chooses which one is used. > > * use an authentication backend which supports checking credentials against > multiple sources. ie PAM or similar. > > * write your own wrapper script to receive data from Squid and test both > data sources. Passing the overall result back to Squid. > > >> I read the multiple services authentication FAQ on >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources >> but couldn't understand fully. I understood myacl.pl is used for >> authentication but how I do define username and password for users >> using this method? > > This example is about enforcing strict controls over which background > authentication mechanism is used for any given client IP. > > You *could* use it, however for trying both systems with failover it is > simpler and more efficient to write an authenticator that does it. That > example is only needed because the IP is not sent to basic auth in some > squid versions. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
