On Mon, 1 Nov 2010 17:03:11 -0400, "Kelly, Jack"
<Jack.Kelly_at_wsdevelopment.com> wrote:
> Hi everyone,
> I've successfully set up authentication to my proxy with squid_kerb_auth
> to get us away from using basic LDAP authentication for everything. I
> used the config guide from the squid-cache wiki (below) which worked
> perfectly.
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
>
> One thing I'd like to do is continue using LDAP Groups and/or
> Organizational Units to grant permissions to certain websites. So my
> question is in two parts:
>
> Is there a way to use squid_ldap_auth such that it will only prompt for
> credentials when you try to visit a certain website? (Previously I've
> had it set up so it would prompt you right when the browser opens.)
This is merely a matter of ACL organization. http_access (and other
*_access lines) are tested left-to-right top-to-bottom. So place the group
ACL on the end of a line which starts by testing the website with a
dstdomain ACL.
acl foo dstdomain .example.com
acl people external ldapGroups ...
http_access deny foo !people
...
>
> Alternatively: Is there a straightforward equivalent to squid_ldap_group
> when using Kerberos authentication?
"squid_ldap_group -K" strips the Kerberos domain parts from the
credentials. Allowing group lookup against NTLM.
Markus squid_kerb_auth helper bundles with 3.2 under a slightly changed
name. It's available as a stand-alone helper for older Squid from
http://sourceforge.net/projects/squidkerbauth/files/
>
> Running 3.1.1 on Ubuntu x64, installed from Synaptic.
You need an upgrade. If there is not a newer version of squid3 in synaptic
(Ubuntu supplies 3.0.STABLE25 and 3.1.6) there are ported source packages
for 3.1.9 up at https://launchpad.net/~yadi/+archive/ppa
Amos
Received on Mon Nov 01 2010 - 22:17:02 MDT
This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT