Re: [squid-users] Allow group without password check

From: webmaster <webmaster_at_howard-allison.com>
Date: Wed, 15 Dec 2010 14:23:18 +0100

Thanks Amos,
The hack won't do the job for us. Looks like we'll have to stick with ntlm.
h

On 15.12.2010 13:00, Amos Jeffries wrote:
> On 16/12/10 00:05, webmaster wrote:
>> Hi Group,
>> I'm trying to get squid to let everyone through who belongs to a certain
>> LDAP group without prompting for a password. Do I need an 'auth param
>> basic program' entry? My configuration works just fine if I check the
>> password with ldap auth AND the group with squid_ldap_group, but I want
>> to avoid the prompt for the userid / password and just assume the user
>> is ok if he/she is in the LDAP group. possible?
>
>
> Well, to find the group what do you need? usually its the username of
> the visitor. Preferrably checked for validity. This is done via
> auth_param. If you have another way use that.
>
> Your spec reads like you want to use the fake auth helper. Which
> challenges for credentials, but don't verify they are correct.
>
>
> To start resolving popup problems in auth you need to understand the
> prompt/popup is a browser action with nothing to do with Squid or the
> specific auth protocol. It occurs when the browser is requried to
> preset credentials but cannot find any to send.
>
> This gives you a big pile of clues about how to prevent it:
> * storing the credentials in the browser (browser password manager
> does this for any auth protocol)
> * enabling the client OS to make credentials available to the browser
> via a side channel (IDENT, NTLM and Negotiate/Kerberos do this)
> * send the browser tokens to send straight back (cookie based auth
> systems do this, digest auth does something similar)
>
> Or "the all hack" which prevents Squid challenging for new
> credentials. This works find if credentials are guaranteed to be
> present somehow. But does cause the ACL rule to bypass if they are not
> present at all.
> The hack looks like:
> # some ACL which would normally challenge for credentials
> acl auth proxy_auth REQUIRED
> http_access allow auth all
>
> Amos
Received on Wed Dec 15 2010 - 13:23:31 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST