Adrian Chadd wrote:
> On Fri, Dec 14, 2007, cuchulain 78 wrote:
>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --require-membership-of=groupname
>>
>> However if a user who isnt a member of this group tries to browse, they get
>> prompted for a username and password. Is there any way to disable this login
>> box and forward them to the standard squid denied page.
>>
>> Since I dont know with program pops up the login bix I actually dont know if
>> this is squid or dansguardian related.
>
> I believe its part and parcel of the authentication process. Squid sends
> an authentication challenge; they send their reply; Squid then says "nup!"
> and asks for it to try authenticating again. The browser then pops up a
> box asking for alternative credentials.
While technically exactly true. There is a workaround that I have been
itching to try out. If you are up for an experiment cuchulain 78!
According to Henrik way back; the box only pops up if auth is the last
ACL on the line.
Along with that is my own experiences hacking deny_info for nefarous
purposes :-)
So ... creating a new ACL containing 'all' ... placing it at the EOL and
adding a matching deny_info ... should in my mind do what is wanted here.
The config would look like this:
# skipping the actual auth_param bits ... ...
# and the bits checking whatever web-login ...
acl ntmlAuth auth REQUIRED
acl altAuth src all
deny_into htto://page.somewhere.invalid/index.html altAuth
http_access deny !ntlmAuth altAuth
Anyone keen to try that out? Could you please let me know the resulting
success/failure.
Amos
Received on Fri Dec 14 2007 - 06:43:11 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST