Search squid archive

ident authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am using the latest 3.4 build and a config that looks like:

ident_lookup_access allow localnet
ident_lookup_access deny all
ident_timeout 5 seconds

acl password_required proxy_auth REQUIRED
acl ident_required ident REQUIRED

http_access allow localnet ident_required ident_unrestricted_group
http_access allow localnet ident_required unrestricted_sites
http_access_deny localnet ident_required

http_access allow localnet password_required password_unrestricted_group
http_access allow localnet password_required unrestricted_sites

http_access_deny

The idea is that ident will be used, and if ident can't be used, proxy auth (ntlm) will be used.

The problem is that for users who ident successfully but are not in the ident_unrestricted_group / password_unrestricted_group (both the same windows group), they get a 407 response and a password prompt, instead of an access denied. I can work around this by putting:

deny_info 403:ERR_ACCESS_DENIED ident_required

just before the identd deny, but it seems like a hack.

Am I doing something wrong or could this be a bug?

Also, are there any implementations of ident that are a bit more useful? Such a thing would:
. have a single TCP connection between squid and the client (preferably client initiated), kept alive for a reasonable time
. authenticate the identd server itself (identd is not really considered secure)
. allow squid to specify all aspects of the connection (ident expects the lookup to come from the destination, which isn't true if you are doing transparent proxying, although easy to patch squid to fake the source)

Thanks

James






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux