I'm working on a Squid proxy which needs to authenticate users against an Active Directory domain; this works fine, Samba was correctly set up and Squid authenticates users via ntlm_auth
. Relevant lines in squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl Authenticated proxy_auth REQUIRED
http_access allow Authenticated
http_access deny all
Now, I need a way to allow access to users which don't have a domain account. I know I could create an "internet user" account in the domain, but this would allow access, although limited, to domain resources (file shares, etc.); I need something that will allow only Internet access.
The ideal solution would be using a local account on the proxy server, either a Linux account or a Squid one; I know Squid supports this, but I'm unable to have it use both domain authentication and Squid/local authentication if domain auth is unsuccesful.
Can this be done? How?
Best Answer
Yes.
You can use an "external" ACL helper, which allows you to roll your own mechanism. See the Squid wiki "Multiple Source" entry for more details. This bit of pseudo-code lifted straight from there:
... where my-auth.pl is a bit of perl script that performs the actual authentication, and returns
OK
orERR
as the result.