> 1) you mention having questions but don't ask any.
--> Well, one of them is..I have read that using LDAP lookup..When attempting
to visit a blocked site, squid will challenge the authentication. Is this true?
We're trying to keep this as transparent as possible.
Will squid have any problems performing LDAP against a mail server? I
have the mail server also set up as an LDAP server (it's an exchange2003 box),
so, so long as I direct the requests under port 389 there shouldn't be a
problem correct?
Next question would be..Is there a better method to use than LDAP? NTLM
possibly?
2) logging of authenticated username (LDAP) and loging of identity
name (IDENT) are two separate things sometimes in Squid. Check the log
format is showing what you want.
---> I do have the log format set to record successfully the IDENT lookup. As
you can see from the log..It does sometimes work and sometimes does not. I can
include a much larger log file if anyone has the time to look it over. I do,
but I can't discern any patterns..
3) Ident is a rarely used (due to being insecure) method of
identification. The re-write of auth for Squid-3 left a few problems in
the way it works. Many of which are being resolved so recently the
patches have not yet made it to 3.0 and some still waiting testing in
bugzilla. If you need this kind of fix, please test the latest snapshots
then get check bugzilla for any remaining issues.
----> Again..I don't mind getting away from IDENT..It is a pain in the ass to
get installed on all the client machines..But when I was first learning about
squid, this is the path that was easiest for me (I had to learn linux first,
then squid, then squint for reports, then IDENT for username logging..All in
about a week).. So I just kind of stuck with it.
We have until May 4th til this needs to go live. We, as you can see, are
currently running and logging now so we can make sure the loads are all ok. So,
any help before then would be awesome!!
Thanks again guys!!
Thanks
Dustin
Dustin Hane wrote:
> Hello all!
>
> I'm trying to get around having to do the LDAP or NTLM authentication
> schemas. It may be a lot easier, but I'm just not exactly sure how..So what I
> have done is this..
> I pushed out via a GPO a script that will report the username to a text file.
> I then use windows IDent server (installed on all local boxes) to listen for
> when Squid makes an RFC 931 lookup request. The service responds with the
> username from the text file.
> Using Squid 3Stable7 on Unix..Exporting logs in default squid format..
> I wouldn't have a problem using an LDAP server as I do have it set up..I just
> don't understand it and for some reason I can't wrap my head around the wiki
> for it and I have a few questions that aren't listed there..If someone has a
> few minutes that I could email my test config for it to, I would be eternally
> greatful! I just don't want to bog down the maillist with my stupidity.
> Works absolutely awesome 94% of the time..But occasionally I get the
> following. (usernames have been retracted for obvious reasons)
>
>
>A few things crop into y head reading your post:
>
> 1) you mention having questions but don't ask any.
--> Well, one of them is..I have read that using LDAP lookup..When attempting
to visit a blocked site, squid will challenge the authentication. Is this true?
We're trying to keep this as transparent as possible.
Will squid have any problems performing LDAP against a mail server? I
have the mail server also set up as an LDAP server (it's an exchange2003 box),
so, so long as I direct the requests under port 389 there shouldn't be a
problem correct?
Next question would be..Is there a better method to use than LDAP? NTLM
possibly?
2) logging of authenticated username (LDAP) and loging of identity
name (IDENT) are two separate things sometimes in Squid. Check the log
format is showing what you want.
3) Ident is a rarely used (due to being insecure) method of
identification. The re-write of auth for Squid-3 left a few problems in
the way it works. Many of which are being resolved so recently the
patches have not yet made it to 3.0 and some still waiting testing in
bugzilla. If you need this kind of fix, please test the latest snapshots
then get check bugzilla for any remaining issues.
Amos
> ---Begin Logs---
> 1240514814.201 289 icm1512.postalproducts.com TCP_MISS/200 2347 GET
> http://www.bassind.com/images/bg_03.gif username DIRECT/65.198.197.121
> image/gif
> 1240514814.578 404 icm1512.postalproducts.com TCP_MISS/200 544 GET
> http://www.bassind.com/images/top_nav_bg.gif - DIRECT/65.198.197.121 image/gif
> 1240514814.613 1106 icm1512.postalproducts.com TCP_MISS/404 1561 GET
> http://www.bassind.com/images/main_top.gif - DIRECT/65.198.197.121 text/html
> 1240514814.673 417 icm1512.postalproducts.com TCP_MISS/200 3994 GET
> http://www.bassind.com/prodimg/hometheatrehp.jpg username
> DIRECT/65.198.197.121 image/jpeg
>
> 1240514824.037 356 icm1512.postalproducts.com TCP_MISS/404 1561 GET
> http://www.bassind.com/favicon.ico username DIRECT/65.198.197.121 text/html
> 1240514829.944 0 icm1338.postalproducts.com TCP_IMS_HIT/304 375 GET
> http://vendornet.americanhotel.com/colors/styles.css username NONE/- text/css
> 1240514829.946 0 icm1338.postalproducts.com TCP_IMS_HIT/304 391 GET
> http://vendornet.americanhotel.com/inc/main.js - NONE/-
> application/x-javascript
> 1240514829.969 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/topB.gif username NONE/- image/gif
> 1240514830.000 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/Logo/AHLogo.gif - NONE/- image/gif
> 1240514830.004 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/liteteal1x1.gif username NONE/-
> image/gif
> 1240514830.009 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/exit.gif - NONE/- image/gif
> 1240514830.011 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/topA.gif username NONE/- image/gif
> 1240514830.015 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/leftReduce.gif - NONE/- image/gif
> 1240514830.021 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/leftExpand.gif username NONE/-
> image/gif
> 1240514830.025 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/Colors/liteteal1x1.gif - NONE/- image/gif
> 1240514830.029 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/arrow.gif username NONE/- image/gif
> 1240514830.034 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/leftDiv.gif - NONE/- image/gif
> 1240514830.040 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/arrowbl.gif username NONE/-
> image/gif
> 1240514830.049 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/tealleft.gif - NONE/- image/gif
> 1240514830.050 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/leftSpace.gif username NONE/-
> image/gif
> 1240514830.070 327 icm1338.postalproducts.com TCP_MISS/200 23941 POST
> http://vendornet.americanhotel.com/Index.asp jurgitad DIRECT/72.35.92.212
> text/html
> 1240514830.080 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/images/powered.gif - NONE/- image/gif
> 1240514830.083 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/teal1x1.gif username NONE/-
> image/gif
> 1240514830.093 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET
> http://vendornet.americanhotel.com/colors/recapright.gif username NONE/-
> image/gif
> 1240514832.457 107 icm1512.postalproducts.com TCP_MISS/200 1903 GET
> http://www.freightquote.com/images/qb_nav_account_on.gif username
> DIRECT/207.218.147.11 image/gif
> ---END LOGS----
>
> Dustin Hane
> IT Support
> Ph: 414-290-1128
> Fx: 414-290-1515
> 500 W Oklahoma Ave
> Milwaukee, WI 53207
> [email protected]
>
>
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
