On Thu, 18 Nov 2004, Rolf wrote:
Firstly, in the external_acl_type directive, -h hostname defines the Active Directory server to query. Can I specify for redundancy purposes more than one hostname?
Yes.
Secondly, I am about to deploy a second squid box for redundancy purposes. How, if at all, is the proxy authentication kept in sync between the two?
It doesn't need to.
If browser has a config that says try proxyA then ProxyB, so it contacts proxyA and does the auth, then proxyA disappears, does the browser have to re-authenticate with ProxyB at next http request or can the auth data be made available on proxyB?
This depends on how you load balance between the proxies. For authentication to work the browser must have a single DNS name for all the proxies and any load balancing taking place outside of the browser (either DNS round-robin, or a layer 4 load balancer infront of the proxies).
If you use proxy.pac scripts with different proxy host names then the user will be asked to authenticate again when switched to another proxy.
Lastly, (not strictly a squid question) so far we have around 25 users using proxy auth - largely as a testing set - eventual production will deal with about 1500 users. Of those 25, one Active Directory user does not work. Clearly this is an issue within AD for that userid. Has anyone seen or know of any particular quirks in AD userids that stop it working?
The only quirk I know of is if the user is using national characters outside of US-ASCII in his login or password. This never works reliably due to HTTP protocol being restricted to US-ASCII.
The credentials, user/pass, are accepted (ie they are not prompted for again as in the case of being incorrect) but won't accept that the user has access by dint of being in the relevant group, even though they certainly are
Then it is time to look into what your AD says via LDAP about this users group membership.
The ldap group helper can easily be tested from the command line, and if using the -d flag then it is relatively verbose about what kind of LDAP questions it makes. The helper expects username SPACE groupname NEWLINE as input, and responds with OK/ERR.
Regards Henrik
