RE: [squid-users] Problems with IDENT lookup logging
>> 1) you mention having questions but don't ask any. > > --> Well, one of them is..I have read that using LDAP lookup..When > attempting to visit a blocked site, squid will challenge the > authentication. Is this true? LDAP (authentication) and IDENT (identification) are two very different things. Only if you configure Squid to request authentication will it challenge. There are ways to avoid auth sometimes (IP, header, or destination based ACLs etc), and others (fakeauth or the 'all' ACL config hack) to avoid the challenge. > We're trying to keep this as transparent as > possible. Well, to guarantee auth credentials, some form of challenge needs to go back to the browser to kick things off. Your current usage this challenge is done in the background via ident. I mention fakeauth etc. They and the auth protocols you have looked at do the same thing via HTTP. Some like LDAP and NTLM can be silent to the user if the browser has access to such information. Worst case for proper setup is that the user gets a auth popup once per browser startup. Worst case for broken setup is that the browser continuously shows the user the auth popup. > Will squid have any problems performing LDAP against a mail server? I > have the mail server also set up as an LDAP server (it's an exchange2003 > box), so, so long as I direct the requests under port 389 there shouldn't > be a problem correct? Say what?! SMTP and LDAP are again two very different protocols. SMTP like HTTP can be configured to _use_ LDAP. But you cannot AFAIK send an email to someone and receive LDAP credentials back via LDAP protocol. I have to assume you mean your Exchange2003 Server provides LDAP domain authentication service separate to its email service. Squid should not have any problems authenticating against any proper LDAP authentication service. > Next question would be..Is there a better method to use than LDAP? NTLM > possibly? Not really, security changes over time, NTLM and LDAP are getting old. But at least LDAP is able to keep up with encryption updates. If you are using Vista or later boxes anywhere, negotiate auth with kerberos is much better than NTLM for them. To the point of being a required upgrade. > > 2) logging of authenticated username (LDAP) and loging of identity > name (IDENT) are two separate things sometimes in Squid. Check the log > format is showing what you want. > ---> I do have the log format set to record successfully the IDENT lookup. > As you can see from the log..It does sometimes work and sometimes does > not. I can include a much larger log file if anyone has the time to look > it over. I do, but I can't discern any patterns.. As you probably know. IDENT only works for local machines which support it AND have the security levels reduced to allow user information to be shown publicly. > > 3) Ident is a rarely used (due to being insecure) method of > identification. The re-write of auth for Squid-3 left a few problems in > the way it works. Many of which are being resolved so recently the > patches have not yet made it to 3.0 and some still waiting testing in > bugzilla. If you need this kind of fix, please test the latest snapshots > then get check bugzilla for any remaining issues. > > Again..I don't mind getting away from IDENT..It is a pain in the ass > to get installed on all the client machines..But when I was first learning > about squid, this is the path that was easiest for me (I had to learn > linux first, then squid, then squint for reports, then IDENT for username > logging..All in about a week).. So I just kind of stuck with it. > We have until May 4th til this needs to go live. We, as you can see, are > currently running and logging now so we can make sure the loads are all > ok. So, any help before then would be awesome!! I think you probably want to look at fakeauth as well. Which does the auth challenge to browsers, but accepts anything they send back. http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly > > Thanks again guys!! > > Thanks > Dustin > > Dustin Hane wrote: >> Hello all! >> >> I'm trying to get around having to do the LDAP or NTLM authentication >> schemas. It may be a lot easier, but I'm just not exactly sure how..So >> what I have done is this.. >> I pushed out via a GPO a script that will report the username to a text >> file. I then use windows IDent server (installed on all local boxes) to >> listen for when Squid makes an RFC 931 lookup request. The service >> responds with the username from the text file. >> Using Squid 3Stable7 on Unix..Exporting logs in default squid format.. >> I wouldn't have a problem using an LDAP server as I do have it set up..I >> just don't understand it and for some reason I can't wrap my head around >> the wiki for it and I have a few questions that aren't listed there..If >> someone has a few minutes that I could email my test config for it to, I >> would be eternally greatful! I just don't want to bo
RE: [squid-users] Problems with IDENT lookup logging
> 1) you mention having questions but don't ask any. --> Well, one of them is..I have read that using LDAP lookup..When attempting to visit a blocked site, squid will challenge the authentication. Is this true? We're trying to keep this as transparent as possible. Will squid have any problems performing LDAP against a mail server? I have the mail server also set up as an LDAP server (it's an exchange2003 box), so, so long as I direct the requests under port 389 there shouldn't be a problem correct? Next question would be..Is there a better method to use than LDAP? NTLM possibly? 2) logging of authenticated username (LDAP) and loging of identity name (IDENT) are two separate things sometimes in Squid. Check the log format is showing what you want. ---> I do have the log format set to record successfully the IDENT lookup. As you can see from the log..It does sometimes work and sometimes does not. I can include a much larger log file if anyone has the time to look it over. I do, but I can't discern any patterns.. 3) Ident is a rarely used (due to being insecure) method of identification. The re-write of auth for Squid-3 left a few problems in the way it works. Many of which are being resolved so recently the patches have not yet made it to 3.0 and some still waiting testing in bugzilla. If you need this kind of fix, please test the latest snapshots then get check bugzilla for any remaining issues. > Again..I don't mind getting away from IDENT..It is a pain in the ass to get installed on all the client machines..But when I was first learning about squid, this is the path that was easiest for me (I had to learn linux first, then squid, then squint for reports, then IDENT for username logging..All in about a week).. So I just kind of stuck with it. We have until May 4th til this needs to go live. We, as you can see, are currently running and logging now so we can make sure the loads are all ok. So, any help before then would be awesome!! Thanks again guys!! Thanks Dustin Dustin Hane wrote: > Hello all! > > I'm trying to get around having to do the LDAP or NTLM authentication > schemas. It may be a lot easier, but I'm just not exactly sure how..So what I > have done is this.. > I pushed out via a GPO a script that will report the username to a text file. > I then use windows IDent server (installed on all local boxes) to listen for > when Squid makes an RFC 931 lookup request. The service responds with the > username from the text file. > Using Squid 3Stable7 on Unix..Exporting logs in default squid format.. > I wouldn't have a problem using an LDAP server as I do have it set up..I just > don't understand it and for some reason I can't wrap my head around the wiki > for it and I have a few questions that aren't listed there..If someone has a > few minutes that I could email my test config for it to, I would be eternally > greatful! I just don't want to bog down the maillist with my stupidity. > Works absolutely awesome 94% of the time..But occasionally I get the > following. (usernames have been retracted for obvious reasons) > > >A few things crop into y head reading your post: > > 1) you mention having questions but don't ask any. --> Well, one of them is..I have read that using LDAP lookup..When attempting to visit a blocked site, squid will challenge the authentication. Is this true? We're trying to keep this as transparent as possible. Will squid have any problems performing LDAP against a mail server? I have the mail server also set up as an LDAP server (it's an exchange2003 box), so, so long as I direct the requests under port 389 there shouldn't be a problem correct? Next question would be..Is there a better method to use than LDAP? NTLM possibly? 2) logging of authenticated username (LDAP) and loging of identity name (IDENT) are two separate things sometimes in Squid. Check the log format is showing what you want. 3) Ident is a rarely used (due to being insecure) method of identification. The re-write of auth for Squid-3 left a few problems in the way it works. Many of which are being resolved so recently the patches have not yet made it to 3.0 and some still waiting testing in bugzilla. If you need this kind of fix, please test the latest snapshots then get check bugzilla for any remaining issues. Amos > ---Begin Logs--- > 1240514814.201289 icm1512.postalproducts.com TCP_MISS/200 2347 GET > http://www.bassind.com/images/bg_03.gif username DIRECT/65.198.197.121 > image/gif > 1240514814.578404 icm1512.postalproducts.com TCP_MISS/200 544 GET > http://www.bassind.com/images/top_nav_bg.gif - DIRECT/65.198.197.121 image/gif > 1240514814.613 1106 icm1512.postalproducts.com TCP_MISS/404 1561 GET > http://www.bassind.com/images/main_top.gif - DIRECT/65.198.197.121 text/html > 1240514814.673417 icm1512.postalproducts.com TCP_MISS/200 3994 GET > http://www.bassind.com/prodimg/hometheatr
Re: [squid-users] Problems with IDENT lookup logging
Dustin Hane wrote: Hello all! I'm trying to get around having to do the LDAP or NTLM authentication schemas. It may be a lot easier, but I'm just not exactly sure how..So what I have done is this.. I pushed out via a GPO a script that will report the username to a text file. I then use windows IDent server (installed on all local boxes) to listen for when Squid makes an RFC 931 lookup request. The service responds with the username from the text file. Using Squid 3Stable7 on Unix..Exporting logs in default squid format.. I wouldn't have a problem using an LDAP server as I do have it set up..I just don't understand it and for some reason I can't wrap my head around the wiki for it and I have a few questions that aren't listed there..If someone has a few minutes that I could email my test config for it to, I would be eternally greatful! I just don't want to bog down the maillist with my stupidity. Works absolutely awesome 94% of the time..But occasionally I get the following. (usernames have been retracted for obvious reasons) A few things crop into y head reading your post: 1) you mention having questions but don't ask any. 2) logging of authenticated username (LDAP) and loging of identity name (IDENT) are two separate things sometimes in Squid. Check the log format is showing what you want. 3) Ident is a rarely used (due to being insecure) method of identification. The re-write of auth for Squid-3 left a few problems in the way it works. Many of which are being resolved so recently the patches have not yet made it to 3.0 and some still waiting testing in bugzilla. If you need this kind of fix, please test the latest snapshots then get check bugzilla for any remaining issues. Amos ---Begin Logs--- 1240514814.201289 icm1512.postalproducts.com TCP_MISS/200 2347 GET http://www.bassind.com/images/bg_03.gif username DIRECT/65.198.197.121 image/gif 1240514814.578404 icm1512.postalproducts.com TCP_MISS/200 544 GET http://www.bassind.com/images/top_nav_bg.gif - DIRECT/65.198.197.121 image/gif 1240514814.613 1106 icm1512.postalproducts.com TCP_MISS/404 1561 GET http://www.bassind.com/images/main_top.gif - DIRECT/65.198.197.121 text/html 1240514814.673417 icm1512.postalproducts.com TCP_MISS/200 3994 GET http://www.bassind.com/prodimg/hometheatrehp.jpg username DIRECT/65.198.197.121 image/jpeg 1240514824.037356 icm1512.postalproducts.com TCP_MISS/404 1561 GET http://www.bassind.com/favicon.ico username DIRECT/65.198.197.121 text/html 1240514829.944 0 icm1338.postalproducts.com TCP_IMS_HIT/304 375 GET http://vendornet.americanhotel.com/colors/styles.css username NONE/- text/css 1240514829.946 0 icm1338.postalproducts.com TCP_IMS_HIT/304 391 GET http://vendornet.americanhotel.com/inc/main.js - NONE/- application/x-javascript 1240514829.969 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/topB.gif username NONE/- image/gif 1240514830.000 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/Logo/AHLogo.gif - NONE/- image/gif 1240514830.004 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/liteteal1x1.gif username NONE/- image/gif 1240514830.009 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/exit.gif - NONE/- image/gif 1240514830.011 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/topA.gif username NONE/- image/gif 1240514830.015 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/leftReduce.gif - NONE/- image/gif 1240514830.021 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/leftExpand.gif username NONE/- image/gif 1240514830.025 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/Colors/liteteal1x1.gif - NONE/- image/gif 1240514830.029 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/arrow.gif username NONE/- image/gif 1240514830.034 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/leftDiv.gif - NONE/- image/gif 1240514830.040 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/arrowbl.gif username NONE/- image/gif 1240514830.049 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/tealleft.gif - NONE/- image/gif 1240514830.050 0 icm1338.postalproducts.com TCP_IMS_HIT/304 376 GET http://vendornet.americanhotel.com/colors/leftSpace.gif username NONE/- image/gif 1240514830.070327 icm1338.postalproducts.com TCP_MISS/200 23941 POST http://vendornet.americanhotel.com/Index.asp jurgitad DIRECT/72.35.92.212 text/html 1240514830.080 0 icm1338.postalproduct
