On Tue, Apr 20, 2004 at 06:40:02PM +1000, Grant Parnell wrote: > On Tue, 20 Apr 2004, Alexander Samad wrote: > > > On Tue, Apr 20, 2004 at 12:04:02PM +1000, Broun, Bevan wrote: > > > Well, squid is running on linux! > > > > > > Currently we run squid-2.4 latest stable, but upgrading to 2.5 lastest > > > stable is an option and from my reading so far this is probably needed. > > > > > > The current squid was compiled with --enable-auth-modules="SMB" and we have > > > a file on NT domain controller to limit Interent to those in a particular > > > NT group (who have read access to the file). > > > > > > Now a request has come in to have another nt group access to a particular > > > dstdomain - only no internet. Can anyone fast track me to the solution? > > > I dont want to go down the path of placing the usernames into squid.conf > > > > I think in the winbind package (debian, part of samba I think), there is > > the script/interface to test weather a NT userid is part of a NT group. > > Just do it once for the group and then manage it from within NT > > Good answer.. just to the wrong question. > > Haven't looked into this particular case for a while but I think the key > here is to > a) pass the ACL group required to the squid authentication program > OR > b) somehow get the group back from the squid authentication program and > apply that to the ACL's. > Problem is I don't think squid has a concept of a group. Hopefully I'm > wrong. > > I think most of the time we divided the web space up as follows:- > internal-only + business sites > internal-only + business sites + cached data > full web access > > Basically for the first 2 cases no authentication required, authentication > only popped up when trying for something not on the business list. > In actual fact we added one more dimension... time. IE some people allowed > full web access but only after business hours. > > One ugly way of solving it is to use 2 proxies A and B. Strange I have a similiar setup as above but with one squid
acl bb2k src 192.168.5.2/255.255.255.255 acl melan src 192.168.5.1/255.255.255.255 acl locallan src 192.168.5.0/255.255.255.0 acl umllan src 192.168.4.0/255.255.255.0 acl locallandst dst 192.168.5.0/255.255.255.0 acl wwwdst dst 202.154.115.130/255.255.255.255 192.168.5.1/255.255.255.255 acl dst_Bproxy dstdom_regex smh.com.au fairfax.com.au gov.au edu.au auth_param basic program /usr/lib/squid/pam_auth -o -1 auth_param basic children 2 auth_param basic realm Squid proxy-caching web server external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl acl ProxyUsers external NT_global_group BProxy acl ProxyUsersFull external NT_global_group BProxyFull acl Authorized_User proxy_auth REQUIRED http_access allow wwwdst http_access allow locallandst http_access allow Authorized_User ProxyUsersFull http_access allow Authorized_User ProxyUsers dst_Bproxy The key though is how you mix the http_access So the users are allow access to the locallandst without authentication and there are 2 types of authorised users full - access to the full internet and ProxyUsers but these are limited to only a small subset Again maybe I have missed what is trying to be done (head cold & Cold and flu tablets) > Proxy A allows internal-only without a password and anything not internal > gets handed off to the cache_peer B. If you like some internal sites could > require a password on proxy A. > Proxy B then allows business sites without a password but requires a > password for anything else. > Anyway.. you can see how adding more proxies can give you the opportunity > for different authentication strategies at the expense of maintaining it - > hence it's ugly but you may be desparate. > > -- > ---<GRiP>--- > Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist, > Linux Guru, SLUG Secretary, AUUG and Linux Australia member, Sydney > Flashmobber, BMX rider, Walker, Raver & rave music lover, Big kid that > refuses to grow up. I'd make a good family pet, take me home today! > Do people actually read these things? > > >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
