Search squid archive

Fallback auth method

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

i'm trying to use basic_ncsa_auth as a fallback to my ntlm/kerberos and
LDAP authentification.


The problem here is, that even if my user is successfully authenticated
by ncsa_auth, its denied by the memberof external_acl rule.

Is there a way to skip this acl rule if ncsa_auth was the authenticator?


My configuration looks like this:

> # Negotiate Kerberos and NTLM
> 
> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NT-DOMAINNAME --kerberos /usr/lib/squid3/negotiate_kerberos_auth -s GSS_C_NO_NAME
> ...
> 
> # NTLM Authentication
> 
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NT-DOMAINNAME
> ...
> 
> # LDAP/ActiveDirectory
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=COMPANY,dc=int" -D squid@xxxxxxxxxxx -W /etc/
> squid3/ldappass.txt -f sAMAccountName=%s -h ad.company.int,ad3.company.int
> ....
> 
> # basic-auth
> 
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
> 
> 
> # AD memberof check
> 
> external_acl_type memberof ttl=300 negative_ttl=300 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -b "dc=COMPANY,dc=i
> nt" -D squid@xxxxxxxxxxx -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof:1.2.
> 840.113556.1.4.1941:=cn=%g,ou=Groups,ou=foobar,dc=COMPANY,dc=int))" -h ad.company.int,ad3.company.int
>
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access allow auth
>
> acl AllowedMemberOf external memberof "/etc/squid3/memberof_allow.txt
> acl BlockedMemberOf external memberof "/etc/squid3/memberof_deny.txt"
>
> http_access allow AllowedMemberOf all
> http_access deny BlockedMemberOf all

Best,
Schinken

---
Backspace e.V.
http://hackerspace-bamberg.de

mail: schinken@xxxxxxxxxxxxxxxxxxxxxx
xmpp: schinken@xxxxxxxxxxx (otr)
GPG: FFB7 E40D B2DD D24C C9B7 B5C5 703C F8B8 882C 871E

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux