Search squid archive

Re: squid_ldap_group (Group into Group)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It Worked!!!

Thank you Guys for all your tips...

I got this with the command lines:

------------------------------------------------------------

FOR AUTHENTICATION:

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=yyy" -D "cn=user,ou=example,dc=domain,dc=yyy" -w
"password" -f sAMAccountName=%s -h IP_LDAP_SERVER

auth_param basic children 5
auth_param basic realm DOMAIN
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off


FOR RECURSIVE LDAP SEARCH:

external_acl_type AD_GROUP ttl=300 negative_ttl=300 %LOGIN
/usr/lib/squid3/squid_kerb_ldap -D DOMAIN.YYY -g Group@xxxxxxxxxx


SQUID ACLs:

acl ACL_X external AD_GROUP

http_access allow ACL_X

------------------------------------------------------------

One more time, Thank you very much.

Cheers.

Rickifer Barros

On Fri, Aug 10, 2012 at 9:17 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 10/08/2012 11:55 p.m., Rickifer Barros wrote:
>>
>> Hi Eugene,
>>
>> yes, that's true, but this only works together the program
>> squid_kerb_auth. So this require my computer inside a domain. I need
>> that it works with a popup to type username and password.
>>
>> I tried:
>> - to use squid_kerb_auth with the parameter "auth_param basic program"
>> (DOESN'T WORK)
>
>
> Taking Basic auth scheme and sending its credentials format to Kerbros
> scheme helper -> FAIL.
>
>
>> - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search.
>> It authenticates but doesn't search. (DOESN'T WORK)
>
>
> Taking a Basic auth format username and looking up Kerberos groups with it.
>   could work, but Basic auth usernames do not normally have the @DOMAIN
> syntax part. You will need to check users are logging in with that and its
> not being stripped away anywhere.
>
>
>> - to use "auth_param negotiate program squid_kerb_auth" with
>> "squid_kerb_ldap" to search, with my computer inside a domain. (IT
>> WORKS!) But without username/password popup.
>
>
> Kerberos is designed to operate without a popup. Move the computer outside
> the domain and is might work only with popups. Or it might not.
>
>
>>
>> Is there some way to join "Authentication via Popup" + "Recursive Query"?
>
>
> They are completely separate operations.
>
> external_acl_type (group lookup) does authorization. Taking the username and
> checking groups. username can come from any authentication type, or even be
> non-authenticated. The only thing that matters is whether the username
> presented by Squid to the helper is of a format which matches somethign in
> the groups database.
>
> Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux