hello
I have proxy auth turned on here and it uses the squid_ldap_auth and squid_ldap_group helpers to query an Active Directory Server with a search for valid credentials and group membership in order to determine access.
All works fine.
Three questions.
Firstly, in the external_acl_type directive, -h hostname defines the Active Directory server to query. Can I specify for redundancy purposes more than one hostname?
If not is there any other way to establish some sort of redundancy?
Can I define external_acl_type twice each with different -h hostname specifications?
If so do I then have to have two 'acl aclname external...' directives?
Secondly, I am about to deploy a second squid box for redundancy purposes. How, if at all, is the proxy authentication kept in sync between the two?
If browser has a config that says try proxyA then ProxyB, so it contacts proxyA and does the auth, then proxyA disappears, does the browser have to re-authenticate with ProxyB at next http request or can the auth data be made available on proxyB?
If so, how?
If its not kept in sync and browser must re-authenticate against second proxy, does this mitigate against an architecture of having a round-robin proxy server arrangement, whereby browser can be given a different proxy for each request (via rr dns or other mechanisms)?
For proxy auth scenarios is it recommended that proxies are designated as primary and backup(s) rather than equals?
Lastly, (not strictly a squid question) so far we have around 25 users using proxy auth - largely as a testing set - eventual production will deal with about 1500 users. Of those 25, one Active Directory user does not work. Clearly this is an issue within AD for that userid. Has anyone seen or know of any particular quirks in AD userids that stop it working?
The credentials, user/pass, are accepted (ie they are not prompted for again as in the case of being incorrect) but won't accept that the user has access by dint of being in the relevant group, even though they certainly are, and are redirected in accordance with the squid config to the page that tells them they're not allowed. Weird. I have tried turning on squid debugging and have also sniffed the traffic to /from AD, but no real clues.
many thanks
rolf.
