[squid-users] SquidNT2.6 - Active Directory

From: Sergio Gleser <sergiogleser@dont-contact.us>
Date: Tue, 27 Mar 2007 16:18:10 -0300

Hi,

I have been struggling with the next problem for 3 weeks now, and have been
unable to find an answer to the problem.

My network setup is as follows:

LAN Clients: Windows 2000 / XP
Network Address: 192.168.2.0
Directory Services: Active Directory

All clients are in Domain.

Proxy SErver:  Windows 2000 Pro / Sp4 with SquidNT 2.6 Stable10. The proxy
PC is member of Domain but isnīt a Domain Controller.

The problem is:  I canīt allow access only to members  of a Domain (Active
Directory) Group.

My squid.conf
----------------------------------------------------------------------------
------------------------
....
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5

....
external_acl_type win_domain_group ttl=300 %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G

....
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80               # http
acl Safe_ports port 21               # ftp
acl Safe_ports port 443              # https
acl Safe_ports port 70               # gopher
acl Safe_ports port 210              # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280              # http-mgmt
acl Safe_ports port 488              # gss-http
acl Safe_ports port 591              # filemaker
acl Safe_ports port 777              # multiling http
acl CONNECT method CONNECT
acl InetAllow external win_domain_group internet

...
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow InetAllow

http_access deny all
----------------------------------------------------------------------------
-----------------------

With this configuration, all client -> Access Denied

When my squid.conf is .. (below) all client can access Internet.

....
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5

....
external_acl_type win_domain_group ttl=300 %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G

....
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80               # http
acl Safe_ports port 21               # ftp
acl Safe_ports port 443              # https
acl Safe_ports port 70               # gopher
acl Safe_ports port 210              # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280              # http-mgmt
acl Safe_ports port 488              # gss-http
acl Safe_ports port 591              # filemaker
acl Safe_ports port 777              # multiling http
acl CONNECT method CONNECT

acl localnet proxy_auth REQUIRED src 192.168.2.0/24

...
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access deny all

Anny suggestions?

Thanks in advance!
Received on Tue Mar 27 2007 - 13:22:39 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT