Hi,
I've having fun trying to get the Browser popup dialog box to enter
authentications details, perhaps someone could explain how the
interaction squid/browser works for denies, when is it a page, when a
dialog?
Details: Squid is setup to:
1) Allow access from certain IPs with no authentication
2) Authenticate from active directory (using kerberos, with ntlm fallback)
3) And finally ldap.
1) works fine, as does 2) from Windows machine in the domain
(kerberos/NTLM does its job).
The ldap mechanism on its own also works fine.
3) When (windows) machines not in the domain connect, they are *not*
prompted for (LDAP) credentials, "Cache Access Denied" page appears.
(This happens in all browsers)
But squid is sending headers to tell the browser to authenticate:
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.HEAD-20120814-r12282
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Basic realm="Proxy LDAP - Enter credentials"
The browser replies with NTLM:
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
2012/10/09 10:20:20| negotiate_wrapper: received type 1 NTLM token
And squid is unhappy:
HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Presumably the browser first tries with the local windows logon
credentials, but then it should popup a dialog and request
user/password? Hmm, maybe the problem is squid not send
"Proxy-Authenticate:" in the second reply?
Summary of squid.conf:
auth_param negotiate program
/usr/local/squid/libexec/negotiate_wrapper_auth ............
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth ..........
external_acl_type memberof %LOGIN
/usr/local/squid/libexec/ext_ldap_group_acl ..........
acl ldapgroups external memberof "/etc/squid/ldapgroups.txt" ....
acl our_networks src "/etc/squid/our_networks.list"
http_access allow our_networks
http_access deny !ldapgroups (also tried "http_access allow
ldapgroups" and "http_access deny !ldapgroups all")
http_access allow localhost
http_access deny all
I did find one related thread:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-LDAP-re-challenges-browser-on-http-access-deny-td1041726.html
but there the focus was on _not_ having a popup :-)
Also read http://www.squid-cache.org/Doc/config/http_access/
After reading http://wiki.squid-cache.org/Features/Authentication, also tried
http_access deny !ldapgroups all
http_access allow all
And tried just authentication with no authorisation:
acl mustlogin proxy_auth REQUIRED
http_access deny !mustlogin
http_access allow localnetworks
http_access deny all
In all cases, the browser does not want to popup an auth dialog :-(
Thanks in advance,
Sean Boran
Received on Tue Oct 09 2012 - 09:19:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 09 2012 - 12:00:03 MDT