Re: [squid-users] Why need this for get "auth-sync" between squid and dansguardian?

From: Fran Márquez <fjmarquez.ext_at_chguadalquivir.es>
Date: Mon, 04 Apr 2011 10:51:25 +0200

El 03/04/2011 9:22, Amos Jeffries escribió:
> On 02/04/11 01:12, Fran Márquez wrote:
>> I'm modifying the squid.conf file of my proxy server for replace "basic
>> auth" for "ntlm auth".
>
> Please consider going straight to Negotiate/Kerberos. NTLM is
> officially deprecated and should be avoided where possible.

I don't get implement Negotiate. All my tries has failed. I will try
again before start to use NTLM in production environment...

>
>>
>> All work fine in squid, but when I use dansguardian, I've noticed that
>> dansguardian doesn't get the username if I remove this lines from
>> squid.conf:
>>
>>
>> ------------------------------------------------
>> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
>> -b "dc=domain" -D "cn=proxy,cn=proxy,dc=domain" -w "proxy" -f
>> "(&(objectclass=person)
>> (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=domain))" -h 1.1.1.1
>>
>> acl ldapLimited external ldap_group notAlowed
>> acl ldapTotal external ldap_group alowed
>>
>> http_access allow ldapTotal all
>> ------------------------------------------------
>>
>> Note: 1.1.1.1 is dc ip address
>>
>>
>> I thought that this lines affects only to basic authentication since it
>> already was wrote before I start to implement the NTLM auth.
>>
>> Anybody can explain me what this lines are doing exactly? I revised the
>> ldap groups refered in this lines (ldapLimited and ldapTotal) and it are
>> empty.
>
> What those lines do:
> external_acl_type using "%LOGIN" require authentication credentials
> in order to be tested. These details are required regardless of the
> result.
>
> So whenever Squid reached that ACL and tries to test it will either
> use the credentias given or challenge the browser to present some.
>
> The type of authentication does not matter to Squid when testing the
> ACLs. Whatever types you have in your auth_param setup will be used
> and sent.
>

Well, then this can be considered a valid and correct method for reached
auth info by DansGuardian, right?

>
> I think the problem is likely that DG does not support NTLM. Or that
> your Squid version does not allow one of the many pre-requisits needed
> to get (stateful!) NTLM to work over (stateless) HTTP.
> These requirements are:
> * pinning client and server connection together for the duration of
> *either* TCP link.
> * HTTP/1.1-style persistent server connections
> * HTTP/1.1-style persistent client connections
>

Dansguardian includes a plugin called auth-ntlm, wich is suposed is for
get NTLM support, but it doesn't work fine for me, so the unique method
I found is use the mentioned acl.

Respect to requeriments... I don't think that this was the cause, since
Squid and DansGuardian are in same machine and I'm using recents
versions of both:

Squid version:

Squid Cache: Version 3.0.STABLE25
configure options: '--build=i386-redhat-linux-gnu'
'--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--includedir=/usr/include' '--libdir=/usr/lib'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-digest-auth-helpers=password'
'--enable-epoll'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-icap-client' '--enable-ident-lookups' '--with-large-files'
'--enable-linux-netfilter' '--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,null,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl=/usr/kerberos' '--with-pthreads'
'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu'
'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables'

Dansguardian version: dansguardian-2.10.1.1

> Amos

Thank you very much, F.J
Received on Mon Apr 04 2011 - 08:51:53 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 04 2011 - 12:00:01 MDT