Hi, I've having fun trying to get the Browser popup dialog box to enter authentications details, perhaps someone could explain how the interaction squid/browser works for denies, when is it a page, when a dialog? Details: Squid is setup to: 1) Allow access from certain IPs with no authentication 2) Authenticate from active directory (using kerberos, with ntlm fallback) 3) And finally ldap. 1) works fine, as does 2) from Windows machine in the domain (kerberos/NTLM does its job). The ldap mechanism on its own also works fine. 3) When (windows) machines not in the domain connect, they are *not* prompted for (LDAP) credentials, "Cache Access Denied" page appears. (This happens in all browsers) But squid is sending headers to tell the browser to authenticate: HTTP/1.1 407 Proxy Authentication Required Server: squid/3.HEAD-20120814-r12282 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: Basic realm="Proxy LDAP - Enter credentials" The browser replies with NTLM: Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== 2012/10/09 10:20:20| negotiate_wrapper: received type 1 NTLM token And squid is unhappy: HTTP/1.1 407 Proxy Authentication Required X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Presumably the browser first tries with the local windows logon credentials, but then it should popup a dialog and request user/password? Hmm, maybe the problem is squid not send "Proxy-Authenticate:" in the second reply? Summary of squid.conf: auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth ............ auth_param basic program /usr/local/squid/libexec/basic_ldap_auth .......... external_acl_type memberof %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl .......... acl ldapgroups external memberof "/etc/squid/ldapgroups.txt" .... acl our_networks src "/etc/squid/our_networks.list" http_access allow our_networks http_access deny !ldapgroups (also tried "http_access allow ldapgroups" and "http_access deny !ldapgroups all") http_access allow localhost http_access deny all I did find one related thread: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-LDAP-re-challenges-browser-on-http-access-deny-td1041726.html but there the focus was on _not_ having a popup :-) Also read http://www.squid-cache.org/Doc/config/http_access/ After reading http://wiki.squid-cache.org/Features/Authentication, also tried http_access deny !ldapgroups all http_access allow all And tried just authentication with no authorisation: acl mustlogin proxy_auth REQUIRED http_access deny !mustlogin http_access allow localnetworks http_access deny all In all cases, the browser does not want to popup an auth dialog :-( Thanks in advance, Sean Boran
