On 06/07/11 23:19, Robert Velter wrote:
Hi all,
i have a (nice?) squid authentication/authorization challenge.
I already have a working authentication configuration using negiotiate
with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
using an external_acl_type with squid_ldap_group.
Now i want that users can authenticate/authorize using basic auth when
the squid_ldap_group check fails. Resulting in the following logic:
grant access if ((logged in windowsuser is in group internet) or
(given credentials authenticate for group internet))
As far as i understand i cant solve this with auth_param modifications
because the external_acl ldap_group already gets a validated username
from kerberos/ntlm (all clients are microsoft windows). I think i need
an additional external_acl helper with integrated basic auth. Right?
Is there any external_acl helper out there with the needed
functionality?
Regards, Robert
That will probably die horribly. NTLM & Negotiate both hijack HTTP to
try and authenticate the TCP-level. Once credentials are accepted a
change in auth requires the TCP link itself to be terminated.
You can cause a re-auth challenge, but Squid will still offer the same
set of Negotaiate,NTLM,Basic as available. The sane browsers should move
on to the next available choice they have not tried (most agents are not
that sane though).
Details of how to re-auth are in the FAQ:
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9
