Re: [squid-users] acl's Based on Active Directory Group Membership

[Tim Neto]

Hello Tim,
Your squid.conf is missing a definition.
From the default squid.conf file's comments:
           #    === Parameters for the basic scheme follow. ===
           #   
           #    "program" cmdline
           #    Specify the command for the external authenticator.  
Such a program
           #    reads a line containing "username password" and replies 
"OK" or
           #    "ERR" in an endless loop.
           #
           #    By default, the basic authentication sheme is not used 
unless a
           #    program is specified.
           #
           #    If you want to use the traditional proxy 
authentication, jump over to
           #    the helpers/basic_auth/NCSA directory and type:
           #        % make
           #        % make install
           #
           #    Then, set this line to something like
           #
           #    auth_param basic program c:/squid/libexec/ncsa_auth 
c:/squid/etc/passwd
                  
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                 |
You need a definition like this  -----|  before these definitions in 
your file:

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
 

I use LDAP authentication, so I have a set of lines like:
           # 
---------------------------------------------------------------------------------------------------------------------------------------
           auth_param basic program 
<path-to-program>/squid_ldap_auth.exe -h <ldap-server-dns-name> -p 
<ldap-port> -P -b <base-OU> -f "uid=%s"

           auth_param basic children 20
           auth_param basic realm Squid proxy-caching web server
           auth_param basic credentialsttl 5 minute
           # 
---------------------------------------------------------------------------------------------------------------------------------------

Replace the <value> in my configuration fragment with real values for 
your system.

Note, I am running instances of Squid 2.5Build5 on both a Linux (RH9) 
and Windows 2000 sp4.   LDAP server is a SunONE Directory server 5.2.

Hope this helps some.
Tim
-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer         Komatsu Canada Limited
Ph#: 905-625-6292 x265            1725B Sismet Road
Fax: 905-625-6348                 Mississauga, Canada
E-Mail: [EMAIL PROTECTED]          L4W 1P9
-----------------------------------------------------------

Tim Donahue wrote:
I have been asked by the owner of my company to setup a proxy that
restricts employee's internet access to approved websites only because
of people that have been abusing their access to the internet.  It would
be nice if we could use group membership to limit their access, so I
started off by attempting to use winbind, however I could net get
winbind to list either our groups or our users so I broke down and
grabbed SquidNT instead.
I have gotten SquidNT running without any acl's that use authorization,
but now I am starting to try and get the acl's to work, and I'm running
into a syntax error I can't seem to isolate. I am getting the following
errors (sorry for the line wrapping, I hope it doesn't get too mangled):
2004/08/27 15:10:00| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl
password proxy_auth REQUIRED' because no authentication schemes are
fully configured.
2004/08/27 15:10:00| aclParseAclLine: IGNORING invalid ACL: acl password
proxy_auth REQUIRED
2004/08/27 15:10:00| squid.conf line 1838: http_access allow password
InetFullAccess
2004/08/27 15:10:00| aclParseAccessLine: ACL name 'password' not found.
My squid.conf, with all the comments stripped out to reduce the size of
the file, is pasted in below.  If anyone has any ideas how to get this
error fixed, it would be greatly appreciated.
Tim Donahue

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_dir ufs c:/squid/var/cache 1000 16 256
cache_access_log c:/squid/var/log/access.log
cache_log c:/squid/var/log/cache.log
cache_store_log c:/squid/var/log/store.log
emulate_httpd_log on
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G -c
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl InetFullAccess external NT_global_group InetFullAccess
acl win32 proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow win32 InetFullAccess
http_access allow manager localhost
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access deny all
cache_mgr [EMAIL PROTECTED]
visible_hostname pm.haynes-group.com
logfile_rotate 30
coredump_dir c:/squid/var/cache