Re: [squid-users] Squid and Active Directory

From: John <[email protected]>
Date: Thu, 4 Nov 2004 01:46:40 -0000

Hi Matt,

Thanks for the reply. Does this mean that I need to set up and run samba
server on the squid box? My company security team are against running samba
as they consider samba to be inherently insecure. Is there a way to run
squid with Active Directory for authentication without having to include
samba?

Thanks & regards

John
----- Original Message -----
From: "Matt Alexander" <lowbassman@gmail.com>
To: <squid-users@squid-cache.org>
Sent: Thursday, November 04, 2004 12:03 AM
Subject: Re: [squid-users] Squid and Active Directory

> You'll need to edit your samba config file for your particular domain,
> start winbindd, and add the following to your squid.conf:
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 30 minutes
> auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Web Proxy
> auth_param basic credentialsttl 2 hours
> external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
> /usr/lib/squid/wbinfo_group.pl
> acl winbind proxy_auth REQUIRED
> acl internetusers external nt_group internet
> http_access allow internetusers
> http_access deny all
>
> The above also contains the additional requirement that users must be
> in the Windows "internet" group. If you don't need this then you can
> remove the internetusers acl and the wbinfo_group.pl line. Then
> change http_access to allow winbind.
> ~Matt
>
>
> On Wed, 3 Nov 2004 22:45:49 -0000, John <john.rushe@tiscali.co.uk> wrote:
>> Hi
>>
>> My site is moving away from LDAP to Active Directory for authentication
>> for our internet users going through the Squid proxy server. In order to
>> get
>> squid to talk to active
>> directory for user authentication, it is also a requirement to set up,
>> configure and run samba? I had hoped that switching to active directory
>> would just mean tweaking the existing LDAP auth_param directive.
>>
>> Regards
>>
>> John
>>
>>
>
>
> --
> Get Firefox!
> http://www.mozilla.org/products/firefox/
Received on Wed Nov 03 2004 - 18:45:14 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST