Sessler, Enrico wrote: > > below an example line from squids "access.log". > > You see after the URL "users\deiense". This is my domain\uid > and I assume that this string is send to squidGuard as uid. > > ######## access.log ############# > 1047457650.107 3914 10.80.9.106 TCP_MISS/200 52472 GET > http://www.cnn.com/ users\deiense DIRECT/64.236.16.20 text/html > #################################
Thanks for that example. I read your example too quickly the first time and I went off and tested squidGuard with "users/deiense" instead of "users\deiense". Did you know that everything would work fine if squid was sending "users\deiense"? squidGuard will accept it and will properly match it in requests from squid. We might want to keep that in mind. I found a recent discussion thread in the squid-users mailing list on this topic. I'll reproduce the messages (minus email addresses) here (you can get the email addresses from the squid-users archive): -------------------------------- Subject: [squid-users] ntlm and domain\user From: "Prasanta kumar Panda" Date: 2003-03-03 3:56:41 Hi All, I tried NTLM Authentication today and it worked fine. But all my basic users become domain\user in access.log and ident send to squidGuard process as the squidGuard restrictions are ident dependent. Just wondering if squid can be configured to strip the domain part so that I need not have to maintain two set of users i.e. user and domain\user in my access files both for squid as well as squidGuard. I need to support both NTLM as well Basic Authentication and I have a very huge userlist already and with this the list will get doubled. Reg. Prasanta -------------------------------- Subject: Re: [squid-users] ntlm and domain\user From: Henrik Nordstrom Date: 2003-03-03 10:12:42 Your problem can be solved by a little of coding in either a) Squid, to strip out well known domains from NTLM authentication. b) In SquidGuard, to do the same.. c) In a glue between Squid and SquidGuard, to do the same.. Regards Henrik -------------------------------- Subject: RE: [squid-users] ntlm and domain\user From: "Prasanta kumar Panda" Date: 2003-03-04 9:10:33 I chose the option 'a' and modify libntlmssp.c(/helpers/ntlm_auth/SMB) to return 'user' instead of the default 'credentials' and got my things done. But don't know is this the correct way to do this? Reg. Prasanta -------------------------------- Subject: Re: [squid-users] ntlm and domain\user From: Henrik Nordstrom Date: 2003-03-04 9:24:46 It is OK if you only have a single domain. If there is domain trusts to other domains then you have lost the ability to differentiate the same user name in the trusted domains from your own domain.. Because of this, the domain component should only be ignored if well known to be the "default domain". Regards Henrik -------------------------------- Hope that helps! Rick
