Piece of cake ;-) If your domain is an AD domain then I would recommend ditching msntauth and go for LDAP instead, or if you prefer using Windows NT domain techology to use winbind integration via Samba (see the Squid FAQ for details).
Squid-2.5 has well evolved support for group based acl controls using various types of backend user databases such as Window NT Domain, LDAP (including MSAD and most more/less standard LDAP directories) and many others with simple scripting. For instructions on how to set up Samba/winbind for Squid see the Suqid FAQ. For instructions on how to set up LDAP authentication see the LDAP authentication and group tools shipped with current Squid-2.5 nightly snapshots (what will become 2.5.STABLE2 in a not too distant future). There is also several posts in the squid-users archives for the last few months discussing the same topic. If using LDAP then I strongly recommend experimenting a little with ldapsearch to get familiar to the LDAP structure of MS AD before looking into the details of howto configure the Squid LDAP authentication/group integration. The Squid LDAP tools is generic LDAP tools and some of the parameters to these can only be understood if there is some understanding of the MS ActiveDirectory LDAP structure.. Regards Henrik Scott Wrosch wrote: > What we have is a proxy that is set up to authenticate to the Windows > 2000 domain using msntauth. That works fabulously. > > What my original plan to do was to set it up so that the domains that > the customer service people need access to, they could get to it > unrestricted. Then, they would have to be authenticated in order to > access anything beyond that. And, using msntauth, they wouldn't be > allowed to. > > However, I have had a monkey wrench thrown into those plans, which would > have been simple and worked well. What now needs to be done is each > user needs to be put into specific groups. Those specific groups then > have varying access needs to specific sites. This could then entail > multiple users being in multiple groups. It's a huge monkey wrench > because we have 30+ customer service people, most of them would be > required to be in different groups. > > Now, with that being said, I know ACLs would definitely be involved. > But, what I'm wondering is if there is any simple way to do this. I > live by KISS (Keep It Simple, Stupid), and to me, things just got > extraordinarily un-simple. So, I'm looking for any hints, tips, > suggestions, advice, etc etc etc... > > This isn't something that I'm particularly thrilled about, but I don't > make the decisions. I've been going through the squid.conf file trying > to figure out possible ways of doing this, but nothing is just coming > out, slapping me in the face, and saying this is the way to do it! > > Thanks in advance for any assistance anyone can offer! > > Regards, > > Scott Wrosch > desk 248.333.7700 x227 > email [EMAIL PROTECTED] > > "Our greatest glory is not in never falling > but in rising every time we fall." -- Confucius
