Search squid archive

Re: Why need this for get "auth-sync" between squid and dansguardian?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





El 03/04/2011 9:22, Amos Jeffries escribió:
On 02/04/11 01:12, Fran Márquez wrote:
I'm modifying the squid.conf file of my proxy server for replace "basic
auth" for "ntlm auth".

Please consider going straight to Negotiate/Kerberos. NTLM is officially deprecated and should be avoided where possible.

I don't get implement Negotiate. All my tries has failed. I will try again before start to use NTLM in production environment...




All work fine in squid, but when I use dansguardian, I've noticed that
dansguardian doesn't get the username if I remove this lines from
squid.conf:


------------------------------------------------
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=domain" -D "cn=proxy,cn=proxy,dc=domain" -w "proxy" -f
"(&(objectclass=person)
(sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain))" -h 1.1.1.1

acl ldapLimited external ldap_group notAlowed
acl ldapTotal external ldap_group alowed

http_access allow ldapTotal all
------------------------------------------------

Note: 1.1.1.1 is dc ip address


I thought that this lines affects only to basic authentication since it
already was wrote before I start to implement the NTLM auth.

Anybody can explain me what this lines are doing exactly? I revised the
ldap groups refered in this lines (ldapLimited and ldapTotal) and it are
empty.

What those lines do:
external_acl_type using "%LOGIN" require authentication credentials in order to be tested. These details are required regardless of the result.

So whenever Squid reached that ACL and tries to test it will either use the credentias given or challenge the browser to present some.

The type of authentication does not matter to Squid when testing the ACLs. Whatever types you have in your auth_param setup will be used and sent.


Well, then this can be considered a valid and correct method for reached auth info by DansGuardian, right?


I think the problem is likely that DG does not support NTLM. Or that your Squid version does not allow one of the many pre-requisits needed to get (stateful!) NTLM to work over (stateless) HTTP.
These requirements are:
* pinning client and server connection together for the duration of *either* TCP link.
 * HTTP/1.1-style persistent server connections
 * HTTP/1.1-style persistent client connections


Dansguardian includes a plugin called auth-ntlm, wich is suposed is for get NTLM support, but it doesn't work fine for me, so the unique method I found is use the mentioned acl.

Respect to requeriments... I don't think that this was the cause, since Squid and DansGuardian are in same machine and I'm using recents versions of both:

Squid version:

Squid Cache: Version 3.0.STABLE25
configure options: '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-digest-auth-helpers=password' '--enable-epoll' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,null,ufs' '--enable-useragent-log' '--enable-wccpv2' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl=/usr/kerberos' '--with-pthreads' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'

Dansguardian version: dansguardian-2.10.1.1


Amos

Thank you very much, F.J



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux