If users are a memebr of a certain AD group, they are granted access to the web. I have this working but there is a glitch. I have to restart squid everytime I add or remove a user from the active directory group for the change to kick in. I could set up cron to restart squid every x amount of minutes but that is no good. see settings
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
[code]...
Any work arounds for this. I need to able to add an AD user to an AD group so they can have instant access to the web without me having to restart squid
this setup makes squid authenticate both the employees and admin network. how can i make squid just authenticate only the employees network? admin network should connect to squid without authentication.
Port 3128 is set up for transparent proxying (ie, if you send a request to the internet, iptables forwards it to 3128) Port 3129 is just a regular port. If you connect to 3129 directly, you get prompted for a password:
Code:
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid/squid.passwd auth_param basic children 2 auth_param basic realm Squid proxy-caching server acl password proxy_auth admin http_access allow password
And this is actually working also. If someone signs then they are able to access unrestricted browsing (with squidguard). However, if they don't, they are transparent-proxied and have restricted browsing. The problem is I keep getting /var/squid/cache.log hits:
Code:
2010/03/03 17:11:04| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. Basically evertime there's a transparent request, it throws a warning.
I have a squid server currently running with basic authentication. This is a must because we constantly have different people using different machines but the rules must be set per user, not per machine.
We also have a lot of users coming and going. So every time a new user comes to the office I have to manually create a user for him so he can authenticate.
Anyway.. We do not have any windows servers so no Active Directory. But I need some solution to pass the windows login to Squid.
First question: It seems I am using NTLM currently for samba as the person can map their home directories on their windows box withuot authenticating. Why can I not use it for squid?
Second question: Can I make my Centos server into an AD server?
I'm fairly new to Linux and very new to Squid and am having authentication issues! I am using Oracle Enterprise Linux (which is basically Red Hat without the branding) and wanting to use Squid Proxy Server for web access with authentication to Active Directory. I've found a number of articles about this online and all of them say to use auth program squid_ldap_conf which should be in /usr/lib/squid/. I don't have a squid directory in /usr/lib for starters and my squid binaries are in /etc/squid but there is no squid_ldap_conf in there either. I have installed the latest version of Squid (3.0) to see if that helped but I still cannot find the authorisation program.
I would like to be able to get squid or dansguardian to authenticate a user account against active directory so that a users browsing activities can be logged.
I can find lots a very useful info on how to set up ntlm_auth etc, but all of these methods produce a pop up window when the user launches the browser.
I'm posting this thread because I would like to be able to authenicate, but without a pop up window. Is there a way of automatically carrying out this authentication so that the user is unaware of it.
We've previously attempted authenticating against an NT4 PDC, but the users worked out that they could use any user account on the network, not just the user that was logged in which kinda defeated the whole idea of logging the users activity.
My current setup is:
Windows 2003 AD Windows XP Clients, soon to be converted to windows 7. Fedora 11 running squid and dansguardian.
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
I have squid proxy authenticating Internet users with LDAP. It's working well. But I have problem when I authenticate to squid proxy to login to Yahoo Messenger. Each time, I login to YM application, the squid proxy popups many authentication windows. These confuse users when they you YM. I checked in squid access log and see that: when users use YM application, the application requests the following links:
[code]...
With each link, squid requires one authentication window. Do you have any ways to squid require only one authentication window when users use YM?
I would like to configure Squid and DansGuardian that way, that it's a Proxy with Authentication via Website. That means: A new Notebook gets about DHCP the Network-Information like IP-Adress etc.. When he now tries to open a Internet connection it should check if he's authenticated and if not he should get (if this try is from a browser) a login screen in http. It should also not be possible to have internetconnection without being logged in. The clients are Windoze, Mac and Linux. My question now. What programms/deamons are there for doing this authentication. Would you decide for another Programm instead of Squid?
how can I change the text in the Squid Proxy Authentication Dialog Box...? I would like to change the text "The proxy localhost:3128 is requesting a username and password. The site says: "Squid Proxy Caching Server". Is there a file or a configuration to change the text?
I've got this current configuration : 1 squid server authenticating with 1 forest abc.com, then another company wants to joint but in different forest efg.com, I've already configured trust relationshipt between them.
How should I configured at squid.conf so it will authenticate both domain ?
At squid.conf I've already configured like the following below for abc.com :
Is it enough to adding a new line for auth_param basic program for efg.com ?
My squid server works fine in fedora 11 system . Is there any web like interface for admins to create,change,modify users of squid and to view their logs.
I would like to ask some help and tutorial for setting up and how to configure squid proxy server in my (Home PC Server). I am a newbie in Linux Centos. I already installed in my system the CentOS 5.5 . Now, I want to configure it as my internet server, all of my 4 system running in Windows including the laptop I want to connect through my CentOS pc with username authentication. I assign all IP address by static. see tthe attachement in my set up. [url] I just want to know what I need to change and add in my squid config file. And how can I configure properly my CentOS with 2 LAN card as internet server.
I have a problem with ldap client authentication in ubuntu. I am using rhel5 as openldap server and I configured ubuntu as client, when I am trying to login the following message is coming."su: Authentication service cannot retrieve authentication info. Sorry" But when I do search through "ldapsearch" command output is coming without any errors, Can anybody explain what would be problem.
How can I create a user group that restricts Internet privileges to only members in the group, then I will assigns certain applications to join the group for access to the Internet.
For example, I want only group net to have access to the Internet. Group net is then connected to:
Code:
So far, I am using the gnome group policy manager that is standard with ubuntu but Its not working. It is possible that im misdirected and that I should use a firewall instead?
I have a text file that currently has around 150 000 usernames in it. I need to somehow group them into smaller groups of 1000 and then add that value into the DB. for example user xzy group 1 (hopefully the groups will be digits incrementing)
[Code]....
how to search for 1000 then assign them group 1 and then 1001-1999 to group 2 etc.
i want secondary users can able to change the files permissions of primary group?user MAC is having www as a primary and httpd as secondary group. But he want to change the file permissions (chmod) httpd group files. Is it possible or not? I think its not possible. If it`s possible then let me know how?
I've been tasked with fixing a Red Hat system that dies with a kernel panic during the boot stage:
Code:
EXT3-fserror (dev sda1): ext3_check_descriptors: Inode bitmap for group 4 not in group (block 67239937)! EXT3-fs: group descriptors corrupted! mount: error mounting /dev/root on /sysroot as ext3: Invalid argument
I can boot into a Rescue CD, but I'm a bit out of my element because I don't use EXT3 myself, and I've never had to repair a corrupted file system before.
Squid document says that Squid accepts only HTTP requests but speaks FTP on the server side when FTP object are requested.
We call Squid HTTP and FTP caching proxy server. Does it also caches FTP contents? Is it possible to configure FTP clients to use Squid cache? When we make an FTP request to an FTP site via Squid will it be bypassed?
I want to make a transparent squid proxy server in centos. The squid proxy version is 2.6 stable. I made a normal squid server but want to make it transparent so that users do not need to enter the proxy settings in web browser. Even i searched about this on google but not getting it properly.I have two lan cards on centos system. ETH1 used for LAN and ETH2 used for WAN. And in this squid.conf i written "http_port 172.16.31.1:3128 transparent" and i also added a rule in iptables which is "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128" but still i have to enter proxy settings at client's web browser to use internet
I would like to install and configure Transparent squid proxy on a gateway server ,but i dont have a local OR intranet DNS server.I am facing issues do that ,regard .My IP series is 192.168.1.1/24
I have a group (GROUP) with a number of users. I recently added a new user (NEW). NEW is able to read but not write group files, whereas all the other users in the group can read and write to the group files. The permissions for the group files indicate that all members of group should have write permission -rwxrwxr-x
/etc/group indicates that NEW is a member of GROUP ... GROUP:x:501:GROUP,OLD,OLD2,OLD3,OLD4,....,NEW
[code]....
Don't know if it matters, but both OLD and NEW write to the GROUP files over an internet connection. why NEW can't write to GROUP files? Is there a maximum number of members in a group that I might have exceeded?
When I am trying to run the Xserver using the command startx I am getting the below mentioned error
xauth: creating new authority file /oracle/oracle10g/.serverauth.22555 Fatal server error:PAM authentication failed, cannot start X server. Perhaps you do not have console ownership?
What is the fastest setup to do this? All I want is an internally authenticated webmail server that other servers can send mail to for collection of test emails. Don't need LDAP or anything fancy, just a internal LAN only webmail server. I've got Squirrelmail setup on Ubuntu Server and can't get authentication setup with Squirrelmail and every tutorial I read is way over complicated or has nothing on how to authenticate Squirrelmail with internal, system users.
