Hi,
Il 04.57 11/11/2004 Robert Trouchet ha scritto:
>Thank you for the prompt reply
>
>Unfortunately the changes you have suggested do not do what I want them to.
>
>My users are now being asked for a user name and password. Gaining access to
>my network shows that they already have those. The network is in a school
>with students as young aa 4 years old. Some even have problems spelling
>their own name!
>
>I wish to limit students who mis-use the Internet. I currently use a logon
>script to stop any usage by naughty students. I want to also be able to
>limit the bandwidth of those who were only a little bit naughty. I plan on
>doing this via delay pools. At first, however, I need to be able to use the
>NT groups to identify and then limit those students using the acl allow and
>deny.
>
>At present I want my Squid configuration file to
>
>1. identify users in the Windows NT global group "SlowInternet".
>2. deny them access to the squid system
>
>I have enclosed a copy of my current squid.conf file so that you can see
>what it currently looks like.
>
>I have commented out the sections which appear to be requesting a password.
>
>I had read through the FAQ's and the text files in the Squid documentation
>folder but was unable to make enough sense of what I actually had to do.
>This is why I sent the message to the discussion group. As I mentioned in
>that post I am not a Linux person so even though I had searched the archives
>and the FAQ I was unable to understand what to do.
You need a proxy authentication: without user credentials provided by
authentication you cannot use group authorization because squid doesn't
know the username of the person that is browsing.
You can avoid password prompt using NTLM authentication, for this you need:
- A Windows domain
- Squid must run on a domain member
- The client machine must a be domain member
- All users must authenticate itself
- The user must be logged on the client machine with a domain account
- The domain user account must be member of a Domain Global Group
- The Browser must be Internet Explorer
The needed configuration is:
auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
# Basic authentication can be optional
auth_param basic program c:/squid/libexec/nt_auth.exe
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl slowaccount external NT_global_group SlowInternet
acl password proxy_auth REQUIRED
http_access allow Special_sites
http_access deny Ad_sites
http_access deny Porn_sites
http_access deny Restricted_sites
http_access deny badUrl1
http_access allow our_networks password !slowaccount
http_access deny all
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Thu Nov 11 2004 - 11:09:04 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST