On 16/12/10 00:05, webmaster wrote:
> Hi Group,
> I'm trying to get squid to let everyone through who belongs to a certain
> LDAP group without prompting for a password. Do I need an 'auth param
> basic program' entry? My configuration works just fine if I check the
> password with ldap auth AND the group with squid_ldap_group, but I want
> to avoid the prompt for the userid / password and just assume the user
> is ok if he/she is in the LDAP group. possible?
Well, to find the group what do you need? usually its the username of
the visitor. Preferrably checked for validity. This is done via
auth_param. If you have another way use that.
Your spec reads like you want to use the fake auth helper. Which
challenges for credentials, but don't verify they are correct.
To start resolving popup problems in auth you need to understand the
prompt/popup is a browser action with nothing to do with Squid or the
specific auth protocol. It occurs when the browser is requried to preset
credentials but cannot find any to send.
This gives you a big pile of clues about how to prevent it:
* storing the credentials in the browser (browser password manager
does this for any auth protocol)
* enabling the client OS to make credentials available to the browser
via a side channel (IDENT, NTLM and Negotiate/Kerberos do this)
* send the browser tokens to send straight back (cookie based auth
systems do this, digest auth does something similar)
Or "the all hack" which prevents Squid challenging for new credentials.
This works find if credentials are guaranteed to be present somehow. But
does cause the ACL rule to bypass if they are not present at all.
The hack looks like:
# some ACL which would normally challenge for credentials
acl auth proxy_auth REQUIRED
http_access allow auth all
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3Received on Wed Dec 15 2010 - 12:00:46 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST