It Worked!!! Thank you Guys for all your tips... I got this with the command lines: ------------------------------------------------------------ FOR AUTHENTICATION: auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=yyy" -D "cn=user,ou=example,dc=domain,dc=yyy" -w "password" -f sAMAccountName=%s -h IP_LDAP_SERVER auth_param basic children 5 auth_param basic realm DOMAIN auth_param basic credentialsttl 5 minutes auth_param basic casesensitive off FOR RECURSIVE LDAP SEARCH: external_acl_type AD_GROUP ttl=300 negative_ttl=300 %LOGIN /usr/lib/squid3/squid_kerb_ldap -D DOMAIN.YYY -g Group@xxxxxxxxxx SQUID ACLs: acl ACL_X external AD_GROUP http_access allow ACL_X ------------------------------------------------------------ One more time, Thank you very much. Cheers. Rickifer Barros On Fri, Aug 10, 2012 at 9:17 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 10/08/2012 11:55 p.m., Rickifer Barros wrote: >> >> Hi Eugene, >> >> yes, that's true, but this only works together the program >> squid_kerb_auth. So this require my computer inside a domain. I need >> that it works with a popup to type username and password. >> >> I tried: >> - to use squid_kerb_auth with the parameter "auth_param basic program" >> (DOESN'T WORK) > > > Taking Basic auth scheme and sending its credentials format to Kerbros > scheme helper -> FAIL. > > >> - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search. >> It authenticates but doesn't search. (DOESN'T WORK) > > > Taking a Basic auth format username and looking up Kerberos groups with it. > could work, but Basic auth usernames do not normally have the @DOMAIN > syntax part. You will need to check users are logging in with that and its > not being stripped away anywhere. > > >> - to use "auth_param negotiate program squid_kerb_auth" with >> "squid_kerb_ldap" to search, with my computer inside a domain. (IT >> WORKS!) But without username/password popup. > > > Kerberos is designed to operate without a popup. Move the computer outside > the domain and is might work only with popups. Or it might not. > > >> >> Is there some way to join "Authentication via Popup" + "Recursive Query"? > > > They are completely separate operations. > > external_acl_type (group lookup) does authorization. Taking the username and > checking groups. username can come from any authentication type, or even be > non-authenticated. The only thing that matters is whether the username > presented by Squid to the helper is of a format which matches somethign in > the groups database. > > Amos