Hi all,
I've just config the squid proxy server to authenticate users to
Microsoft Active Directory. Everything seem fine except squid keep
asking username/password every time users open new web browser or
switch to other web browser like it check for some session variable in
each browser instances.
Suppose I've already authenticated my self while using google
chrome and open any new tabs on that chrome instance, there will be no
problem but if I open the new Chrome from desktop shortcut (new
instance), squid will ask for the password for this chrome again. This
also occurred when I switch to IE.
And if I close all browser tabs/windows previously authenticated
then reopen the new browser, squid will ask password again.
Is there a way to make squid only ask password for each users
computer/ip etc, once per day or at least a period of time (such as 8
hours). I've tried auth_param basic credentialttl 8 hours but nothing
difference.
The following are my configuration
------------------------------------------------------
Squid Cache: Version 2.6.STABLE21
CentOS 5.6
##AD Setting
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
"ou=ho,dc=ratto,dc=local" -D "cn=LDAP
Browser,cn=users,dc=ratto,dc=local" -w jklm1933 -f
"(&(objectClass=person)(sAMAccountName=%s))" -u sAMAccountName -h
192.168.0.2
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group
-R -b "dc=ratto,dc=local" -D "cn=LDAP
Browser,cn=users,dc=ratto,dc=local" -w "xxxxxx" -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=ho,dc=ratto,dc=local))"
-h 192.168.x.x
auth_param basic children 10
auth_param basic realm ratto Active Directory
auth_param basic credentialsttl 8 hours
##ratto Custom ACL
acl internet-users external ldap_group internet-users
acl internet-users-priv external ldap_group internet-users-priv
acl local_servers dst "/etc/squid/acl/local_servers.txt"
acl allowed_url url_regex "/etc/squid/acl/allowed_url.txt"
acl ban_url url_regex "/etc/squid/acl/ban_url.txt"
acl work_hours_morning time MTWHFA 08:30-12:00
acl work_hours_after_noon time MTWHFA 13:00-17:30
##ratto Custom Rules
http_access deny ban_url
#Allow access to local servers without password prompt
http_access allow local_servers
#Allow access to allowed url without password promt
http_access allow allowed_url
#Group internet-users-prive on AD can access internet for 24 hours.
http_access allow internet-users-priv
#Group internet-users on AD can access internet only on free times
http_access allow internet-users !work_hours_morning !work_hours_after_noon
Thanks
Chettawan
