Thanks for the reply. I think I will have to consider PAM.
Regards
On 8 March 2011 11:06, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 08/03/11 18:42, Go Wow wrote:
>>
>> Hi All,
>>
>> I have implemented the AD authentication with squid3. I would like to
>> add another level of authentication which should be local to unix box
>> something like ncsa. When AD authentication fails then it should
>> switch to other authentication and even if it fails then deny the
>> packet.
>>
>> In squid, when I define
>>
>> auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd
>> auth_param basic program /usr/lib/squid_ldap_auth ...
>>
>> the bottom line is configured by initiating the helper programs and
>> the top line is ignored. If I interchange the above lines then again
>> the bottom program is initiated and top one is ignored.
>
> Yes. You can only define each authentication type once.
>
> Squid just hands every Basic auth header it gets over to a helper to get a
> yes/no answer for use in ACLs. It is up to that helper and the backend
> authentication system it uses to anything like failover, checking multiple
> sources etc.
>
>>
>> Can someone guide me how to create the dual level authen.
>>
>
>
> * Use two different types of authentication, ordered by your preference.
> Then hope that the browser agrees with that preference because all you are
> doing is offering auth types. The client browser chooses which one is used.
>
> * use an authentication backend which supports checking credentials against
> multiple sources. ie PAM or similar.
>
> * write your own wrapper script to receive data from Squid and test both
> data sources. Passing the overall result back to Squid.
>
>
>> I read the multiple services authentication FAQ on
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources
>> but couldn't understand fully. I understood myacl.pl is used for
>> authentication but how I do define username and password for users
>> using this method?
>
> This example is about enforcing strict controls over which background
> authentication mechanism is used for any given client IP.
>
> You *could* use it, however for trying both systems with failover it is
> simpler and more efficient to write an authenticator that does it. That
> example is only needed because the IP is not sent to basic auth in some
> squid versions.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.11
> Beta testers wanted for 3.2.0.5
>
Received on Tue Mar 08 2011 - 08:09:07 MST
This archive was generated by hypermail 2.2.0 : Tue Mar 08 2011 - 12:00:01 MST