Hi all,
(Sorry for my bad English)
I'm setting-up SQUID for my work, and I'm having problems with ACL and LDAP :
We have 3 domains with approbations working up. I have set-up SQUID to
work as Transparent proxy and NTLM authentication.
It's working well with my domain1.local, all users are logged without
prompted for a login / password.
We have 2 types of users :
- Users who can access to everything on internet
- Users who are restricted to specifics websites, based on a whitelist.
This is made by Active Directory groups : If a user belong to the
Group Internet_full he has no restriction. But if he belongs to
Internet_Limited, then he can only access to the websites which have
been specified in my whitelist file.
Squid checks the groups with wbinfo_groups.pl
It's working great whit my domain1.local
The problem I have :
The users are well authenticated on my domain2.local and
domain3.local, but the filter for the groups doesn't works : All my
users from domain2.local and domain3.local are able to access to any
websites, even if they are members of Internet_Limited group.
If I do a wbinfo �u I get only my users from domain1.local
So I have attempted to do a : wbinfo -a
domain2\\administrator%password and I get :
plaintext password authentication succeeded
challenge/response password authentication succeeded
After that, I tried wbinfo �sequence and it gets me :
Domain2: DISCONNECTED
domain3 : DISCONNECTED
BUILTIN : 1220623949
SRVPROXY-SQUID : 1220623949
domaine1 : 817325
I think the problem is here, but not sure, because a user of
domain2.local is well authenticated on my SQUID server, but can't
retrieve his groups.
If I do ./wbinfo_group.pl and then type domain1\\Administrator
Internet_full, it returns me OK (because Administrator is member of
the group Internet_full)
If I test the same command with Internet_Limited, it returns me ERR
(because Administrator isn't member of Internet_Limited)
So it's seems to work with my domain1.
But when I try the same command with domain2 or domain3, here what I get :
Could not get groups for user domain2\administrator
Here a sample of my Squid.conf :
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl
#Recommended minimum configuration:
[...]
acl CONNECT method CONNECT
acl ntlm proxy_auth REQUIRED
acl Full_Access external NT_global_group internet_full
acl Limited_Access external NT_global_group internet_limited
acl whitelist dstdomain "/whitelist"
acl localnet proxy_auth REQUIRED src 10.0.0.0/8
http_access allow Full_Access
http_access allow whitelist Limited_Access
# And finally deny all other access to this proxy
http_access deny all
I repeat that in spite of group filters does not work for the other 2
domains, authentication works great on the 3 domains !
Hope you can help me :)
Thanks in advance !
Received on Mon Sep 08 2008 - 12:16:08 MDT
This archive was generated by hypermail 2.2.0 : Mon Sep 08 2008 - 12:00:02 MDT