[squid-users] cross-domain in Active Directory 2003 with Squid from Martin.Steiner@dont-contact.us on 2008-04-16 (squid-users)

From: <Martin.Steiner@dont-contact.us>
Date: Wed, 16 Apr 2008 13:23:33 +0200

Hello!

I already tried 2 weeks to install Squid 2.6.STABLE18 for Windows. So what
I want is following:

I created a group in the Active Directory with the Name "InternetUsers",
Group Scope "Domain local", Group Type "Security". The group scope "Domain
local" is mandatory because we have AD-Trusts with other divisions and the
users have the need to login into the Internet from this cross-domain over
my Squid. An Example:

User in this group:

mydomain1\testuser
mydomain2\testuser
mydomain3\testuser

Result of my configuration:

Only the mydomain1 users can login successfully with the proxy settings.
The other one get a "DINIED" from the squid. So please can somebody help
me with my specific problem??

Here are my settings and configurations:

My System:

Windows Server 2003 Standard Edition SP2
2.3 GHZ
512 MB-RAM
8 GByte - HDD
no other services are running
is in domain mydomain1
(Is installed on VMWare ESX-Server)

AD-Server:

Active Directory 2003

Squid Configuration:

Installed the Squid Service with these cmd-instructions:
C:\squid\sbin\squid.exe -i -f "C:/squid/etc/squid.conf" -n "Squid1"
and
C:\squid\sbin\squid.exe -z -f "C:/squid/etc/squid.conf"
for creating the cash

After then I changed the squid.conf file:

auth_param basic program C:/squid/libexec/squid_ldap_auth.exe -R -b
"dc=stec-01,dc=s-tec" -D "cn=Administrator,cn=Users,dc=stec-01,dc=s-tec"
-w "password" -f sAMAccountName=%s -h 172.27.208.59 -p 3268
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type InetGroup %LOGIN C:/squid/libexec/squid_ldap_group.exe
-R -b "dc=mydomain,dc=at" -D "cn=Administrator,cn=Users,dc=mydomain,dc=at"
-w password -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Groups,DC=mydomain,DC=at))"
-h 172.27.208.59 -p 3268

acl localMAGNA dstdomain .mydomain1.at .mydomain2.at .mydomain3.at
acl localnet proxy_auth REQUIRED
acl ProxyUsers external InetGroup InternetUsers

http_access allow localMAGNA
http access allow ProxyUsers

First Time I have tried to make this with LDAP. The same with ntlm.

Thank you very much in advance for your help.

With kind regards
Martin
Received on Tue Apr 22 2008 - 15:25:48 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT