Re: [squid-users] Authentication with Squid 3.0 forwarding the authentication to external web content filter - Edirectory

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 22 Jul 2009 15:28:04 +1200

On Tue, 21 Jul 2009 14:41:38 -0400, "Schuetz, Charles"
<cschuetz_at_pltechs.com> wrote:
> We are currently using Squid 3.0 Stable 13. We are currently sending
> every= =3D one through the proxy/cache. We are implementing a user based
> web cont= ent =3D filtering solution (not a linux based solution) that
> authenticates = users ag=3D ainst edirectory. The current solution sends
> all users who use= the proxy s=3D erver as a guest account as the Squid
> box does not hit agai= nst edirectory. =3D My question is this, if I
set
> up the squid caching se= rver to use the exte=3D rnal authentication
> (LDAP), will it pass the edirec= tory credentials onto th=3D e web filter
> or will it not pass them at all. = So if a client computer logs=3D into
> novell with the username jsmith will = it pass jsmith the to the web
fi=3D
> lter or will it not pass any username?

Try the Squid eDirectory auth helper.

It depends on how the other system is plugged into Squid as to how and what
gets passed along.

If the filtering solution is an HTTP peer hop the cache_peer option
"login=PASS" (with exact text 'PASS' meaning pass-thru) will cause Squid to
relay the credentials it gets given to the peer. AFAIK this only works for
basic auth credentials in 3.0.

If the filtering solution is ICAP capable, then everything received from
the client goes through to the ICAP server AFAIK.

If the filtering solution is a redirector the login is not passed, only the
username if known.

If the filtering solution is an external ACl the username/pass combo
(%LOGIN) or the full raw auth headers ( %{Proxy-Authentication} and
%{WWW-Authentication}) can be passed.

Amos

>
> Thank you,
>
> The information contained in this email may be confidential and/or
> privileged. It has been sent for the sole use of the intended
recipient(s).
> If the reader of this message is not an intended recipient, you are
hereby
> notified that any unauthorized review, use, disclosure, dissemination,
> distribution, or copying of this communication, or any of its contents,
is
> strictly prohibited. If you have received this communication in error,
> please contact the sender by reply email and destroy all copies of the
> original message.
Received on Wed Jul 22 2009 - 03:28:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 22 2009 - 12:00:05 MDT