So one thing that is not really clear to me, the external acl script is running constantly and gets "sent" arguments on its' stdin or is the script/program being called every time with the arguments you define for it.... Thanks, Eli 2012/2/29 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 29.02.2012 01:51, Erwann Pencreach wrote: >> >> Hi, >> >> I don't really understand the trick with the Id, but I'll have a look >> at it > > > Its a concurrency support. Allowing Squid to schedule more than one lookup > at a time for the helper. You then add concurrency=N with some N value > greater than 1 for the number of requests for Squid to queue. > > >> >> I wrote this script, because I wasn't able to get authentication >> information from distant client or distant samba pdc (All tricks I have >> found are for an configuration where Squid is on the same host as the >> pdc). Password doesn't matter, but username is mandatory. When I have >> username, I have some ldap checks to do, some whitlist and blacklist to >> check. > > > Something seems wrong there. > > For Squid lookup helpers to validate credentials the only requirement is > that the backend accept validation requests from them. In the PDC case there > may be some security around which servers are allowed to lookup user > credentials, you need to ensure the Squid box (IP? security token?) is in > that accepted set. It sounds to me like the default security at the PDC is > for the localhost connections to be accepted, but not external servers. > > Certain of the Squid lookup helpers do need certain tools from Samba to be > installed (ntlm_auth or winbind or smbclient) in order to run. But those > tools are not the PDC, only other types of lookup helper. > > > Amos >
