It Worked!!!
Thank you Guys for all your tips...
I got this with the command lines:
------------------------------------------------------------
FOR AUTHENTICATION:
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=yyy" -D "cn=user,ou=example,dc=domain,dc=yyy" -w
"password" -f sAMAccountName=%s -h IP_LDAP_SERVER
auth_param basic children 5
auth_param basic realm DOMAIN
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off
FOR RECURSIVE LDAP SEARCH:
external_acl_type AD_GROUP ttl=300 negative_ttl=300 %LOGIN
/usr/lib/squid3/squid_kerb_ldap -D DOMAIN.YYY -g Group_at_DOMAIN.YYY
SQUID ACLs:
acl ACL_X external AD_GROUP
http_access allow ACL_X
------------------------------------------------------------
One more time, Thank you very much.
Cheers.
Rickifer Barros
On Fri, Aug 10, 2012 at 9:17 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 10/08/2012 11:55 p.m., Rickifer Barros wrote:
>>
>> Hi Eugene,
>>
>> yes, that's true, but this only works together the program
>> squid_kerb_auth. So this require my computer inside a domain. I need
>> that it works with a popup to type username and password.
>>
>> I tried:
>> - to use squid_kerb_auth with the parameter "auth_param basic program"
>> (DOESN'T WORK)
>
>
> Taking Basic auth scheme and sending its credentials format to Kerbros
> scheme helper -> FAIL.
>
>
>> - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search.
>> It authenticates but doesn't search. (DOESN'T WORK)
>
>
> Taking a Basic auth format username and looking up Kerberos groups with it.
> could work, but Basic auth usernames do not normally have the @DOMAIN
> syntax part. You will need to check users are logging in with that and its
> not being stripped away anywhere.
>
>
>> - to use "auth_param negotiate program squid_kerb_auth" with
>> "squid_kerb_ldap" to search, with my computer inside a domain. (IT
>> WORKS!) But without username/password popup.
>
>
> Kerberos is designed to operate without a popup. Move the computer outside
> the domain and is might work only with popups. Or it might not.
>
>
>>
>> Is there some way to join "Authentication via Popup" + "Recursive Query"?
>
>
> They are completely separate operations.
>
> external_acl_type (group lookup) does authorization. Taking the username and
> checking groups. username can come from any authentication type, or even be
> non-authenticated. The only thing that matters is whether the username
> presented by Squid to the helper is of a format which matches somethign in
> the groups database.
>
> Amos
Received on Fri Aug 10 2012 - 14:24:27 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT