[squid-users] Fallback auth method
schinken
schinken at hackerspace-bamberg.de
Tue Nov 11 09:33:40 UTC 2014
Hi there,
i'm trying to use basic_ncsa_auth as a fallback to my ntlm/kerberos and
LDAP authentification.
The problem here is, that even if my user is successfully authenticated
by ncsa_auth, its denied by the memberof external_acl rule.
Is there a way to skip this acl rule if ncsa_auth was the authenticator?
My configuration looks like this:
> # Negotiate Kerberos and NTLM
>
> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NT-DOMAINNAME --kerberos /usr/lib/squid3/negotiate_kerberos_auth -s GSS_C_NO_NAME
> ...
>
> # NTLM Authentication
>
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NT-DOMAINNAME
> ...
>
> # LDAP/ActiveDirectory
>
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=COMPANY,dc=int" -D squid at company.int -W /etc/
> squid3/ldappass.txt -f sAMAccountName=%s -h ad.company.int,ad3.company.int
> ....
>
> # basic-auth
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
>
>
> # AD memberof check
>
> external_acl_type memberof ttl=300 negative_ttl=300 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -b "dc=COMPANY,dc=i
> nt" -D squid at company.int -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof:1.2.
> 840.113556.1.4.1941:=cn=%g,ou=Groups,ou=foobar,dc=COMPANY,dc=int))" -h ad.company.int,ad3.company.int
>
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access allow auth
>
> acl AllowedMemberOf external memberof "/etc/squid3/memberof_allow.txt
> acl BlockedMemberOf external memberof "/etc/squid3/memberof_deny.txt"
>
> http_access allow AllowedMemberOf all
> http_access deny BlockedMemberOf all
Best,
Schinken
---
Backspace e.V.
http://hackerspace-bamberg.de
mail: schinken at hackerspace-bamberg.de
xmpp: schinken at tai-wahn.de (otr)
GPG: FFB7 E40D B2DD D24C C9B7 B5C5 703C F8B8 882C 871E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141111/ca9bcfa2/attachment.sig>
More information about the squid-users
mailing list