[squid-users] Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.
Amos Jeffries
squid3 at treenet.co.nz
Tue Oct 17 13:53:45 UTC 2017
On 17/10/17 22:39, Rafael Akchurin wrote:
> Hello everyone,
>
> I would like to get your opinions on the subject.
>
> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For non-technical
> reasons, setup of explicit proxy settings and thus enforcing proxy
> authentication on Squid is not possible.
>
> *Solution*:
>
> 1.Deploy some agent on domain controller that would periodically
> enumerate workstation IPs and get currently logged on users by WMI or
> something like this. This is fine and already working in our project at
> https://github.com/diladele/active-directory-inspector
>
> 2.Let Squid somehow use the remote running inspector to match the IP
> address to user names (and expose the user name to ICAP eventually). May
> be anyone knows the type of helper/acl/annotation that needs to be in
> running/configured on the Squid box?
>
That kind of authorization is the purpose of the session and LDAP
external ACL helpers. Though AFAIK neither of them uses the AD interface
(YMMV if the Perl DB module can use AD as an SQL-like database).
You might be able to also be use the Basic auth LDAP helper from
Squid-3.4+ as an external ACL helper. It will require some fiddling of
the LDAP parameters and the ACL input format to make the external ACL
input into the Basic-auth lookup.
Amos
More information about the squid-users
mailing list