Re: [squid-users] Why need this for get "auth-sync" between squid and dansguardian?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 04 Apr 2011 23:26:13 +1200

On 04/04/11 20:51, Fran Márquez wrote:
>
>
> El 03/04/2011 9:22, Amos Jeffries escribió:
>> On 02/04/11 01:12, Fran Márquez wrote:
>>> I'm modifying the squid.conf file of my proxy server for replace "basic
>>> auth" for "ntlm auth".
>>
>> Please consider going straight to Negotiate/Kerberos. NTLM is
>> officially deprecated and should be avoided where possible.
>
> I don't get implement Negotiate. All my tries has failed. I will try
> again before start to use NTLM in production environment...
>
>
>>
>>>
>>> All work fine in squid, but when I use dansguardian, I've noticed that
>>> dansguardian doesn't get the username if I remove this lines from
>>> squid.conf:
>>>
>>>
>>> ------------------------------------------------
>>> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
>>> -b "dc=domain" -D "cn=proxy,cn=proxy,dc=domain" -w "proxy" -f
>>> "(&(objectclass=person)
>>> (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain))" -h 1.1.1.1
>>>
>>> acl ldapLimited external ldap_group notAlowed
>>> acl ldapTotal external ldap_group alowed
>>>
>>> http_access allow ldapTotal all
>>> ------------------------------------------------
>>>
>>> Note: 1.1.1.1 is dc ip address
>>>
>>>
>>> I thought that this lines affects only to basic authentication since it
>>> already was wrote before I start to implement the NTLM auth.
>>>
>>> Anybody can explain me what this lines are doing exactly? I revised the
>>> ldap groups refered in this lines (ldapLimited and ldapTotal) and it are
>>> empty.
>>
>> What those lines do:
>> external_acl_type using "%LOGIN" require authentication credentials in
>> order to be tested. These details are required regardless of the result.
>>
>> So whenever Squid reached that ACL and tries to test it will either
>> use the credentias given or challenge the browser to present some.
>>
>> The type of authentication does not matter to Squid when testing the
>> ACLs. Whatever types you have in your auth_param setup will be used
>> and sent.
>>
>
> Well, then this can be considered a valid and correct method for reached
> auth info by DansGuardian, right?
>
>>
>> I think the problem is likely that DG does not support NTLM. Or that
>> your Squid version does not allow one of the many pre-requisits needed
>> to get (stateful!) NTLM to work over (stateless) HTTP.
>> These requirements are:
>> * pinning client and server connection together for the duration of
>> *either* TCP link.
>> * HTTP/1.1-style persistent server connections
>> * HTTP/1.1-style persistent client connections
>>
>
> Dansguardian includes a plugin called auth-ntlm, wich is suposed is for
> get NTLM support, but it doesn't work fine for me, so the unique method
> I found is use the mentioned acl.
>
> Respect to requeriments... I don't think that this was the cause, since
> Squid and DansGuardian are in same machine and I'm using recents
> versions of both:
>
> Squid version:
>
> Squid Cache: Version 3.0.STABLE25

Ah. There is the problem. 3.0 series Squid do not support the pinning of
connections. You will need a 3.1 or 2.7 series Squid for NTLM to work.

>
> Dansguardian version: dansguardian-2.10.1.1
>

Okay. IIRC that version does NTLM and it should work when the Squid is
upgraded.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6
Received on Mon Apr 04 2011 - 11:26:17 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 04 2011 - 12:00:01 MDT