Topic: Proxy Authentication

[Bob Wallman]

I work for a School Division and I recently installed an SME Server v5.1.2 with a DSL connection in one of the high schools.  My plans are to roll out another 4 of these servers in other schools throughout the Division.  Here is my problem:

Certain students in the various schools are not allowed Internet access.  Every school that I will be installing an SME server into has at least 1 NT 4.0 server.  Is there some sort of authentication method that I could use on the SME box so that certain users cannot access the Internet?  I would hate to have to recreate all the users on the SME box as some of the schools have 800 users already created on the NT box.

What would be nice is if I could create an NT local group called NoInternet and dump all the users into that group that shouldn't have Internet access.  If the SME server could then utilize that group to only allow approved users access.

If you require more information re. the network or anything, let me know.

[Lloyd Keen]

Bob,
We are currently authenticating our Internet access against the e-smith user database and blocking users with an Access Control List in the squid.conf file. We are trying to get some work from the education system as well and believe that user authentication is a "must have" in order to get a look in. I would like to work off list with you to try a few things out (I can't test as I don't have an NT PDC laying around) and if we can get it to work, maybe write a howto for this. You can contact me on the above e-mail address to discuss.

[Filippo Carletti]

I didn't try it, but I think that squid smb_auth can be used to check access against an NT PDC.
I did some researchs on the topic for a school and have something ready (wpad, squidguard).
I hope to be able to contribute to your work.
I'm available at my email address.

[jose velez]

www.chez.com/vinc28/fetchmail.htm
download the e-smith-squid-0.2-5.i386.rpm and install

and Brandon Friedman email me this changes for SME 5.X


Copy these 2 fragment:

40http_access75AllowLocal
40http_access99denyall  

>From  /etc/e-smith/templates/etc/squid/squid.conf/
To     /etc/e-smith/templates-custom/etc/squid/squid.conf/

Then edit both and comment out the contents of both:

#http_access allow localsrc
#http_access deny all

Expand the template
/sbin/e-smith/expand-template /etc/squid/squidn.conf

Then restart squid:
service squid restart

It works great and easy to install.  It also works with Trevor new Squidguard 3 so you will have control on access and what they can see.

[Confucius]

Jose,

Your information seems to be a little outdated... I tried to get the rpm... found it as http://www.chez.com/vinc28/files/e-smith-squid-0.2-6.i386.rpm
The link on the page is not corrected either so that leads to nothing... for all others, use this contribution

Harro

[Bob Wallman]

I found a very interesting site related to Web Caching and Access Control with Squid plus Internet Filtering using SquidGuard.

http://linux.lexilog.org.uk/index.html

I have read through the pages but, as I am still fairly new to the Linux world, it seems a little beyond me right now.  The site talks about authenticating users against an NT Domain Controller using pam_smb.  The site seems to explain all the steps required to carry this out.

What I would like to see is for someone to write a how-to to accomplish all of these steps from installing SquidGuard to configuring authentication against an NT Domain Controller in a nicely packaged rpm.  A SquidGuard panel in the SME Server Manager would also be very nice to allow:

- addition of your own sites you want to block
- section to unblock certain sites
- schedule regular updates of the SquidGuard blacklists
- section to configure the Domain that you want to authenticate users to and the NT Group that should not have Internet access
- etc., etc.

This sounds like a lot and it probably is.  Like I mentioned above, I am very new to the Linux world and not sure how to even start anything like this.  I know that there is a how-to (http://myezserver.com/downloads/mitel/howto/) in setting up SquidGuard on an SME Server.

I just would be nice to see an addition to this for Authentication and some other goodies.  These are just my thoughts as I would make implementing it easier in the School Division I work for.

I would like to hear any thoughts on this.  Thanks.

[TimP]

If you have alook here

http://www.drbig.co.uk/downloads/Mitel-SME/Squid-Authenticate/

[TimP]

Ignore my other message as I have just noticed that it's not the file you would need.