Re: [squid-users] Auth with NTLM and LDAP on Active Directory

From: Oliver Hookins <[email protected]>
Date: Thu, 17 Feb 2005 15:33:05 +1100

jphml@sympatico.ca wrote:
> Hi,
>
> I would like to authenticate Active Directory users via LDAP and group membership. My setup seems to work fine except for one little thing.
>
> First here is my config:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 40
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 1 minutes
>
>
> external_acl_type LDAPGROUP %LOGIN /usr/libexec/squid_ldap_group -b "ou=MYCIE,dc=mycie,dc=com" -D "cn=USERNAME,ou=ITS,ou=MYCIE,dc=mycie,dc=com" -w MYPASS -f "(&(samAccountName=%v)(memberOf=cn=%a,ou=ITS,ou=MYCIE,dc=mycie,dc=com))" -p 389 -S -P -d -h 10.64.1.10
>
> acl AXS external LDAPGROUP Internet_access
> http_access allow AXS all
> http_access deny all
>
>
> It works fine, if the user is in the AD group Internet_access, he can browse the internet, if he's not in the group, he can't.
>
> The problem:
> The problem is if I modify a user access (remove or add in Internet_access) I need to use "squid -k reconfigure" to apply the changes.
>
> Is there something I can change that wouldn't required a squid reconfigure?
>
> I also seen some post about squid_ldap_auth, does it only support basic auth? Would it solve my problem?

Check out the ttl and negative_ttl on authorisation. You need to set it
to something low enough for your changes to become apparent relatively
quickly (I use 2 minutes). You set it on the external_acl_type line so
check out the squid.conf comments above it.

Regards,
Oliver
Received on Wed Feb 16 2005 - 21:33:10 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST