I am using the latest 3.4 build and a config that looks like: ident_lookup_access allow localnet ident_lookup_access deny all ident_timeout 5 seconds acl password_required proxy_auth REQUIRED acl ident_required ident REQUIRED http_access allow localnet ident_required ident_unrestricted_group http_access allow localnet ident_required unrestricted_sites http_access_deny localnet ident_required http_access allow localnet password_required password_unrestricted_group http_access allow localnet password_required unrestricted_sites http_access_deny The idea is that ident will be used, and if ident can't be used, proxy auth (ntlm) will be used. The problem is that for users who ident successfully but are not in the ident_unrestricted_group / password_unrestricted_group (both the same windows group), they get a 407 response and a password prompt, instead of an access denied. I can work around this by putting: deny_info 403:ERR_ACCESS_DENIED ident_required just before the identd deny, but it seems like a hack. Am I doing something wrong or could this be a bug? Also, are there any implementations of ident that are a bit more useful? Such a thing would: . have a single TCP connection between squid and the client (preferably client initiated), kept alive for a reasonable time . authenticate the identd server itself (identd is not really considered secure) . allow squid to specify all aspects of the connection (ident expects the lookup to come from the destination, which isn't true if you are doing transparent proxying, although easy to patch squid to fake the source) Thanks James
