Re: [squid-users] squid_ldap_auth - authentication only after 3 try
On 4/04/2013 7:35 a.m., Pavel Bychykhin wrote: According to the documentation, setting keep_alive to off makes Squid more stable in some circumstances. I'm using off for keep_alive - no problems. 03.04.2013 20:58, Alípio Luiz пишет: I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? It is a hack added for IE6 and some other systems which assume HTTP/1.0 non-persistent connections and break badly when persistent connections fail to do auth handshake on the first try. Making Squid send Connection:close along with the first NTLM auth challenge response. Once the connection is authenticated the persistent connection stuff all works normally. The only problem with using it is that each NTLM login now requires two TCP connections causing an increase in TCP sockets cycling through TIME_WAIT. PS. I am about to commit a patch that fixes problems Safari was having with Squid-3.2 that may be related. If you are able to run squid-3.3 with a patch and would like to see if it resolves this issues as well I can send you a copy. Amos
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
I had a similar problem solved it by running a two instance of Squid. The first instance uses the negotiate_wrapper for GSSAPI and NTLM helpers. The second one uses basic and digest schemes. As i understand it, the fact is that the browsers themselves choose what kind scheme to use. I.e., one browser would prefer the negotiate scheme than basic. Another browser would use the scheme that is first in the list. 02.04.2013 21:39, Alípio Luiz пишет: I have squid configured with kerberos (squid_kerb_auth) to authenticate users against Active Directory. The SSO is working well for users logged on domain... For users out of domain, I configured squid_ldap_auth + squid_ldap_group. However, the authentication only work after the third try of user... Is there a way to fix that? I want that users put their credentials just one time to authentication... Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome May you help me? Thanks in advance... Bellow is what I have in squid.conf (section about authentication): # auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/server.domain.local auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f sAMAccountName=%s -h server.domain.local -d auth_param basic children 5 auth_param basic realm Internet Authentication auth_param basic credentialsttl 2 hours auth_param basic keep_alive off external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f ((objectclass=person)(sAMAccountName=%v)(memberof=$ acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao acl INTERNET_Perfil_Padrao_Sociais external memberof INTERNET_Perfil_Padrao_Sociais acl auth proxy_auth REQUIRED # -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com Skype: alipio.luiz Linux User #251497 -- Best regards, Pavel
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? 2013/4/3 Pavel Bychykhin bychykhin@hts.kh.ua: I had a similar problem solved it by running a two instance of Squid. The first instance uses the negotiate_wrapper for GSSAPI and NTLM helpers. The second one uses basic and digest schemes. As i understand it, the fact is that the browsers themselves choose what kind scheme to use. I.e., one browser would prefer the negotiate scheme than basic. Another browser would use the scheme that is first in the list. 02.04.2013 21:39, Alípio Luiz пишет: I have squid configured with kerberos (squid_kerb_auth) to authenticate users against Active Directory. The SSO is working well for users logged on domain... For users out of domain, I configured squid_ldap_auth + squid_ldap_group. However, the authentication only work after the third try of user... Is there a way to fix that? I want that users put their credentials just one time to authentication... Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome May you help me? Thanks in advance... Bellow is what I have in squid.conf (section about authentication): # auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/server.domain.local auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f sAMAccountName=%s -h server.domain.local -d auth_param basic children 5 auth_param basic realm Internet Authentication auth_param basic credentialsttl 2 hours auth_param basic keep_alive off external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f ((objectclass=person)(sAMAccountName=%v)(memberof=$ acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao acl INTERNET_Perfil_Padrao_Sociais external memberof INTERNET_Perfil_Padrao_Sociais acl auth proxy_auth REQUIRED # -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com Skype: alipio.luiz Linux User #251497 -- Best regards, Pavel -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com MSN: alipio.luiz [arroba] hotmail.com Skype: alipio.luiz Linux User #251497
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
According to the documentation, setting keep_alive to off makes Squid more stable in some circumstances. I'm using off for keep_alive - no problems. 03.04.2013 20:58, Alípio Luiz пишет: I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? -- Best regards, Pavel
[squid-users] squid_ldap_auth - authentication only after 3 try
I have squid configured with kerberos (squid_kerb_auth) to authenticate users against Active Directory. The SSO is working well for users logged on domain... For users out of domain, I configured squid_ldap_auth + squid_ldap_group. However, the authentication only work after the third try of user... Is there a way to fix that? I want that users put their credentials just one time to authentication... Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome May you help me? Thanks in advance... Bellow is what I have in squid.conf (section about authentication): # auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/server.domain.local auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f sAMAccountName=%s -h server.domain.local -d auth_param basic children 5 auth_param basic realm Internet Authentication auth_param basic credentialsttl 2 hours auth_param basic keep_alive off external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b dc=domain,dc=local -D squid@DOMAIN.LOCAL -w @mypass -f ((objectclass=person)(sAMAccountName=%v)(memberof=$ acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao acl INTERNET_Perfil_Padrao_Sociais external memberof INTERNET_Perfil_Padrao_Sociais acl auth proxy_auth REQUIRED # -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com Skype: alipio.luiz Linux User #251497
[squid-users] squid_ldap_auth authentication
Hi all, I hope you can help me: I'm trying to authenticate squid users against a MS Active directory but i am having problems. I've already tried all the statements tha are in the squid_ldap_auth manual. the MS Active directory is under the following domain: tre-pb.gov.br I created some users in directly in this domain. If anyone went trough the same situation and solved the problem, please tell me why.Give me an example of your squid.conf file