[squid-users] RE: Denying user access based on proxy_auth

Joost,
Finally got back to looking at this today. I took your idea of groups and
have it working now. It turns out the simplest way for me to make this work
was to add the group membership required to the end of the ntlm auth_param
line like this:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --require-membership-of=<SID of AD
Internet Allowed Group>

I then associated this with the custom error I had used with my original
denied solution and it appears to be working perfectly. Now I have all my
users in the Internet Allowed group and will just remove them as access is
denied.

Thanks for the suggestion.

Geoff

-----Original Message-----
From: Joost de Heer [mailto:sanguis@xs4all.nl]
Sent: Wednesday, May 03, 2006 4:35 AM
To: Geoff Varney
Cc: squid-users@squid-cache.org
Subject: Re: Denying user access based on proxy_auth

> I have an acl that looks like this:
>
> acl denied_users proxy_auth_regex -i '/etc/squid2/denied_users'
>
> where the denied_users file has a list of users who are not allowed access
> in the form of: john.smith
>
> Now for the first time I have a problem in the way this works. For
> instance, I have a user account of smith. It's a generic account that is
> used to ensure that certain applications run on Windows 2000/XP. I simply
> want to prevent Web access as it's anonymous to some extent. So I add the
> name "smith" to my denied_users file. Now not only is "smith" denied
> access, but also "john.smith".

Put the username as '^smith$' in the config.

IMO it would be easier to use NT group membership (those who may browse
are member of a certain group, and check membership of that group in the
acl).

Joost
Received on Tue May 09 2006 - 11:42:08 MDT