El 03/04/2011 9:22, Amos Jeffries escribió:
On 02/04/11 01:12, Fran Márquez wrote:
I'm modifying the squid.conf file of my proxy server for replace "basic
auth" for "ntlm auth".
Please consider going straight to Negotiate/Kerberos. NTLM is
officially deprecated and should be avoided where possible.
I don't get implement Negotiate. All my tries has failed. I will try
again before start to use NTLM in production environment...
All work fine in squid, but when I use dansguardian, I've noticed that
dansguardian doesn't get the username if I remove this lines from
squid.conf:
------------------------------------------------
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=domain" -D "cn=proxy,cn=proxy,dc=domain" -w "proxy" -f
"(&(objectclass=person)
(sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain))" -h 1.1.1.1
acl ldapLimited external ldap_group notAlowed
acl ldapTotal external ldap_group alowed
http_access allow ldapTotal all
------------------------------------------------
Note: 1.1.1.1 is dc ip address
I thought that this lines affects only to basic authentication since it
already was wrote before I start to implement the NTLM auth.
Anybody can explain me what this lines are doing exactly? I revised the
ldap groups refered in this lines (ldapLimited and ldapTotal) and it are
empty.
What those lines do:
external_acl_type using "%LOGIN" require authentication credentials
in order to be tested. These details are required regardless of the
result.
So whenever Squid reached that ACL and tries to test it will either
use the credentias given or challenge the browser to present some.
The type of authentication does not matter to Squid when testing the
ACLs. Whatever types you have in your auth_param setup will be used
and sent.
Well, then this can be considered a valid and correct method for reached
auth info by DansGuardian, right?
I think the problem is likely that DG does not support NTLM. Or that
your Squid version does not allow one of the many pre-requisits needed
to get (stateful!) NTLM to work over (stateless) HTTP.
These requirements are:
* pinning client and server connection together for the duration of
*either* TCP link.
* HTTP/1.1-style persistent server connections
* HTTP/1.1-style persistent client connections
Dansguardian includes a plugin called auth-ntlm, wich is suposed is for
get NTLM support, but it doesn't work fine for me, so the unique method
I found is use the mentioned acl.
Respect to requeriments... I don't think that this was the cause, since
Squid and DansGuardian are in same machine and I'm using recents
versions of both:
Squid version:
Squid Cache: Version 3.0.STABLE25
configure options: '--build=i386-redhat-linux-gnu'
'--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--includedir=/usr/include' '--libdir=/usr/lib'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-digest-auth-helpers=password'
'--enable-epoll'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-icap-client' '--enable-ident-lookups' '--with-large-files'
'--enable-linux-netfilter' '--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,null,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl=/usr/kerberos' '--with-pthreads'
'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu'
'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables'
Dansguardian version: dansguardian-2.10.1.1
Amos
Thank you very much, F.J