Re: [squid-users] acl's Based on Active Directory Group Membership

From: Tim Neto <tneto@dont-contact.us>
Date: Fri, 27 Aug 2004 16:49:02 -0400

Hello Tim,

Your squid.conf is missing a definition.

 From the default squid.conf file's comments:
            # === Parameters for the basic scheme follow. ===
            #
            # "program" cmdline
            # Specify the command for the external authenticator.
Such a program
            # reads a line containing "username password" and replies
"OK" or
            # "ERR" in an endless loop.
            #
            # By default, the basic authentication sheme is not used
unless a
            # program is specified.
            #
            # If you want to use the traditional proxy
authentication, jump over to
            # the helpers/basic_auth/NCSA directory and type:
            # % make
            # % make install
            #
            # Then, set this line to something like
            #
            # auth_param basic program c:/squid/libexec/ncsa_auth
c:/squid/etc/passwd
                   
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                  |
You need a definition like this -----| before these definitions in
your file:

>auth_param basic children 5
>auth_param basic realm Squid proxy-caching web server
>auth_param basic credentialsttl 2 hours
>
>
I use LDAP authentication, so I have a set of lines like:

            #
---------------------------------------------------------------------------------------------------------------------------------------
            auth_param basic program
<path-to-program>/squid_ldap_auth.exe -h <ldap-server-dns-name> -p
<ldap-port> -P -b <base-OU> -f "uid=%s"

            auth_param basic children 20
            auth_param basic realm Squid proxy-caching web server
            auth_param basic credentialsttl 5 minute
            #
---------------------------------------------------------------------------------------------------------------------------------------

Replace the <value> in my configuration fragment with real values for
your system.

Note, I am running instances of Squid 2.5Build5 on both a Linux (RH9)
and Windows 2000 sp4. LDAP server is a SunONE Directory server 5.2.

Hope this helps some.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Tim Donahue wrote:

>I have been asked by the owner of my company to setup a proxy that
>restricts employee's internet access to approved websites only because
>of people that have been abusing their access to the internet. It would
>be nice if we could use group membership to limit their access, so I
>started off by attempting to use winbind, however I could net get
>winbind to list either our groups or our users so I broke down and
>grabbed SquidNT instead.
>
>I have gotten SquidNT running without any acl's that use authorization,
>but now I am starting to try and get the acl's to work, and I'm running
>into a syntax error I can't seem to isolate. I am getting the following
>errors (sorry for the line wrapping, I hope it doesn't get too mangled):
>
>2004/08/27 15:10:00| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl
>password proxy_auth REQUIRED' because no authentication schemes are
>fully configured.
>2004/08/27 15:10:00| aclParseAclLine: IGNORING invalid ACL: acl password
>proxy_auth REQUIRED
>2004/08/27 15:10:00| squid.conf line 1838: http_access allow password
>InetFullAccess
>2004/08/27 15:10:00| aclParseAccessLine: ACL name 'password' not found.
>
>
>My squid.conf, with all the comments stripped out to reduce the size of
>the file, is pasted in below. If anyone has any ideas how to get this
>error fixed, it would be greatly appreciated.
>
>Tim Donahue
>
>
>
>http_port 3128
>
>hierarchy_stoplist cgi-bin ?
>
>acl QUERY urlpath_regex cgi-bin \?
>no_cache deny QUERY
>
>cache_mem 256 MB
>
>cache_dir ufs c:/squid/var/cache 1000 16 256
>
>cache_access_log c:/squid/var/log/access.log
>
>cache_log c:/squid/var/log/cache.log
>
>cache_store_log c:/squid/var/log/store.log
>
>emulate_httpd_log on
>
>auth_param basic children 5
>auth_param basic realm Squid proxy-caching web server
>auth_param basic credentialsttl 2 hours
>
>external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G -c
>
>refresh_pattern ^ftp: 1440 20% 10080
>refresh_pattern ^gopher: 1440 0% 1440
>refresh_pattern . 0 20% 4320
>
>acl InetFullAccess external NT_global_group InetFullAccess
>acl win32 proxy_auth REQUIRED
>
>acl all src 0.0.0.0/0.0.0.0
>acl manager proto cache_object
>acl localhost src 127.0.0.1/255.255.255.255
>acl to_localhost dst 127.0.0.0/8
>acl SSL_ports port 443 563
>acl CONNECT method CONNECT
>
>http_access allow win32 InetFullAccess
>
>http_access allow manager localhost
>http_access deny all
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>
>http_access deny all
>http_reply_access allow all
>
>icp_access deny all
>
>cache_mgr tdonahue@haynes-group.com
>
>visible_hostname pm.haynes-group.com
>
>logfile_rotate 30
>
>coredump_dir c:/squid/var/cache
>
>
>
>
Received on Fri Aug 27 2004 - 14:49:06 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:03 MDT