Re: [squid-users] NTLM Group Pop up screen

From: Edward Mann <[email protected]>
Date: 09 Oct 2002 17:04:45 -0500

Here is my setup doing what your suggested.

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/wb_auth
auth_param basic children 5
auth_param basic realm ChoicePoint Proxy server
auth_param basic credentialsttl 2 hours

external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
acl FullAccess external NT_global_group internet
acl internet proxy_auth REQUIRED

http_access deny !FullAccess internet
http_access allow internet

I think i have something missing here. Can you point it out and tell me?

Thanks for your help.

On Wed, 2002-10-09 at 16:12, Jerry Murdock wrote:
> What are your current http_access entries?
>
> Generally, if your proxy_auth acl is part of the denying http_access line,
> the login will be offered again. ie:
>
> This will go directly to an access denied page:
> http_access deny !My_InternetGroup_ACL
> http_access allow My_Proxy_Auth_ACL
>
> This will cause a login prompt:
> http_access deny !My_InternetGroup_ACL My_Proxy_Auth_ACL
> http_access allow My_Proxy_Auth_ACL
>
> Jerry
>
> ----- Original Message -----
> From: "Edward Mann" <edward@arctechnology.com>
> To: "Guido Serassio" <serassio@libero.it>
> Cc: <squid-users@squid-cache.org>
> Sent: Wednesday, October 09, 2002 4:38 PM
> Subject: Re: [squid-users] NTLM Group Pop up screen
>
>
> > Hey,
> >
> > After reading my original message i realized that i had not made myself
> > clear. So here is my second run at it.
> >
> >
> > I have a group on our Domain called internet. If you are in this group
> > then you are able to surf the web.(cool!) If you are not you get an
> > Access denied page.(not Cool!) What I would like is before you are given
> > that page, you are prompted to supply a username and password. Once you
> > fail that then you get the Access denied screen.
> >
> > Thanks.
> >
> >
> >
> > On Wed, 2002-10-09 at 15:28, Guido Serassio wrote:
> > > Hi,
> > >
> > > At 22.19 09/10/2002, Edward Mann wrote:
> > > >I have been successful in getting NTLM and Group auth to work. I am
> > > >going to write a HOW-TO if anyone is interested. Please let me know
> > > >
> > > >Now my question.
> > > >
> > > >Since i have it working, when a user goes to the web, they are given
> the
> > > >Access denied screen. This is cool, but i would like to know if when
> the
> > > >user is not found in the group that the dialog box for username
> password
> > > >is returned to them. I have tested this with a ISA box that some of the
> > > >people that i work with would like to move the company over to. Is this
> > > >possible? Does the code need to be modified to do this or am i missing
> > > >an option?
> > >
> > > I think that You are using External ACL for group membership check, if
> this
> > > is true, take a look on the deny_info squid.conf directive.
> > >
> > > Regards
> > >
> > > Guido
> > >
> > >
> > >
> > > -
> > > =======================================================
> > > Serassio Guido
> > > Via Albenga, 11/4 10134 - Torino -
> ITALY
> > > E-mail: guido.serassio@serassio.it
> > > WWW: http://www.serassio.it
> >
Received on Wed Oct 09 2002 - 16:03:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:39 MST