I am using the latest 3.4 build and a config that looks like:
ident_lookup_access allow localnet
ident_lookup_access deny all
ident_timeout 5 seconds
acl password_required proxy_auth REQUIRED
acl ident_required ident REQUIRED
http_access allow localnet ident_required ident_unrestricted_group
http_access allow localnet ident_required unrestricted_sites
http_access_deny localnet ident_required
http_access allow localnet password_required password_unrestricted_group
http_access allow localnet password_required unrestricted_sites
http_access_deny
The idea is that ident will be used, and if ident can't be used, proxy auth (ntlm) will be used.
The problem is that for users who ident successfully but are not in the ident_unrestricted_group / password_unrestricted_group (both the same windows group), they get a 407 response and a password prompt, instead of an access denied. I can work around this by putting:
deny_info 403:ERR_ACCESS_DENIED ident_required
just before the identd deny, but it seems like a hack.
Am I doing something wrong or could this be a bug?
Also, are there any implementations of ident that are a bit more useful? Such a thing would:
. have a single TCP connection between squid and the client (preferably client initiated), kept alive for a reasonable time
. authenticate the identd server itself (identd is not really considered secure)
. allow squid to specify all aspects of the connection (ident expects the lookup to come from the destination, which isn't true if you are doing transparent proxying, although easy to patch squid to fake the source)
Thanks
James
Received on Tue Aug 26 2014 - 02:25:41 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 26 2014 - 12:00:09 MDT