Bryan, I was faced with a similar authentication problem in our office: Win2K Active Directory used to authenticate users and needing to insert an authenticating Squid proxy. Here are my results:
smb_auth: Worked. Users had to enter a username+password every time, even though they were already authenticated. Politic determined that this was unacceptable (whining bastards!). If you can live with manual login on Squid this is a no-brainer to install. Skill level required: 3/10. PAM: Never got this working properly. Like you, PAM is a bit of black magic to me too. I got the basics sorted but not enough to debug weird problems like certain users being able to authenticate and others failing. (??) Skill level required: ??/10 but you need to know PAM. Winbind: Worked and this is what we have stuck with. It passes the cached domain login correctly to Squid so the authentication takes place but the user never sees the login for the proxy. Manglement is happy. It's a little tricky to set up but I have some documentation (for FreeBSD) that will point you in the right direction if you like. E-mail off-list if you like. There are some excellent guides online (google it) that will show you step-by-step how to compile squid and samba to work together to authenticate squid using winbind. You don't need to do the whole nsswitch/pam/winbind thing to allow your users shell access to the squid box either :-) Skill level required: 6/10 (compiling with specific options etc). Good luck. --James > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Simon Bryan > Sent: Sunday, 23 March 2003 3:55 PM > To: Slug > Subject: [SLUG] Authentication question > > > Hi all, > I am trying to build a system for my school to restrict > downloads for users > when they exceed a certain limit. In fact that bit works, now > I need to add > some whistles and bells. We run SQUID on a RH server with > DansGuardian as a > content filter and Squidalyser running nightly to analyse the logs. > > I have a php page that runs against the database created by > Squidalyser from > the Squid logs. A user can enter their username and be told > what their data > usage for the month is, however any user can enter any known > username, so > there is a privacy issue. I would like the user to have to > authenticate > themselves first and then only see their own usage. > > Currently we run an NT Domain with users authenticating to > the PDC, when > they go into our Intranet (which is AUC) on a Linux (RH) > server they are > authenticated on that NT server by a PAM module (comes with the AUC > distribution). (I still find PAM a bit of a black art). > > However the proxy server is not on that server it is on > another RH server. > > Is it feasible that I can achieve what I want? If so can > someone point me in > the right direction? Would winbind be of any help? > > _________________________________________ > Simon Bryan > IT Manager > OLMC Parramata > ICQ#: 137562751 > _________________________________________ > > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
