This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1BFCD.34281ED0 Content-Type: text/plain Has anyone setup a sqid proxy to authenticate users against an Active Directory and check not only username and password, but also check for membership in a given group? If so can you lend some assistance? Thanks Blake Parker, Network Administrator Alacare Home Health & Hospice 4752 Hwy 280 East Birmingham, AL 35242 (205) 981-8648, Beeper: (205) 501-0408 bparker@alacare.com <mailto:bparker@alacare.com> ------_=_NextPart_001_01C1BFCD.34281ED0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12"> <TITLE>Off Topic Question</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Has anyone setup a sqid proxy to authenticate users against an Active Directory and check not only username and password, but also check for membership in a given group? If so can you lend some assistance?</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT> </P> <P><B><FONT SIZE=3D2 FACE=3D"Tahoma">Blake Parker, Network Administrator</FONT></B> <BR><FONT SIZE=3D1 FACE=3D"Tahoma">Alacare Home Health & Hospice</FONT> <BR><FONT SIZE=3D1 FACE=3D"Tahoma">4752 Hwy 280 East</FONT> <BR><FONT SIZE=3D1 FACE=3D"Tahoma">Birmingham, AL 35242</FONT> <BR><FONT SIZE=3D1 FACE=3D"Tahoma">(205) 981-8648, Beeper: (205) 501-0408</FONT> <BR><A HREF=3D"mailto:bparker@alacare.com"><U><FONT COLOR=3D"#0000FF" SIZE=3D1 FACE=3D"Tahoma">bparker@alacare.com</FONT></U></A> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C1BFCD.34281ED0--
I configured and used Squid with the SMB authenticator at my last job. http://www.hacom.nl/~richard/software/smb_auth.html I had a Samba 2.2 domain controller. All staff that were provided internet access were members of an "internet" group. I create the proxyauth file as per the authenticator instructions, and made it owned by the "internet" group. Then I assigned permissions 440 to that file, so anyone not in the "internet" group would be unable to access it. I don''t know if this will work in an Active Directory arrangement, though, as I''ve never fiddled with it. Cheers, Scott ----- Original Message ----- From: "Parker Blake MIS" <bparker@alacare.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, February 27, 2002 3:27 PM Subject: [Shorewall-users] Off Topic Question> Has anyone setup a sqid proxy to authenticate users against an Active > Directory and check not only username and password, but also check for > membership in a given group? If so can you lend some assistance? > > Thanks > > Blake Parker, Network Administrator > Alacare Home Health & Hospice > 4752 Hwy 280 East > Birmingham, AL 35242 > (205) 981-8648, Beeper: (205) 501-0408 > bparker@alacare.com <mailto:bparker@alacare.com> > > >
I''m using the three-interface templates with one Shorewall box rather than two separate firewall boxes. The only thing I have in my DMZ is an ftp server. I''d like to be able to email all the root mail to a central mail server within the LOC portion of my network. The reason is I''m lazy, and would like to collect all my system status emails from all the local *nix boxes into one email box rather than monitor different login accounts on 7-10 separate machines. In going over the /etc/params file, there isn''t a "DMZ_LOC_TCP=" line, or a "DMZ_LOC_PORTS1=". So, since the easy and obvious way doesn''t seem to be there, what are some of the more esoteric methods to open up a small hole between my DMZ and my LOC segments? Gar
Gar Nelson wrote:> I''m using the three-interface templates with one Shorewall box rather than two > separate firewall boxes.I can''t comment on the three-interface setup, since i don''t use it (the parameterised approach spoils the beauty of shorewall, IMHO :-), but i do have some suggestions.> The only thing I have in my DMZ is an ftp server. > > I''d like to be able to email all the root mail to a central mail server within > the LOC portion of my network. The reason is I''m lazy, and would like to > collect all my system status emails from all the local *nix boxes into one > email box rather than monitor different login accounts on 7-10 separate > machines.It''s not laziness, it''s centralized management. Reading all your root mail from one place is the only efficient way to run a network.> So, since the easy and obvious way doesn''t seem to be there, what are some of > the more esoteric methods to open up a small hole between my DMZ and my LOC > segments?One thing you might want to consider is using POP3 from the internal LAN to the DMZ server to get root''s mail. That way you control the connection from the internal LAN. I also recommend putting in aliases for all the system accounts (i.e. sys, bin, www, etc.) which forward their mail to root on the DMZ box, so that you can collect the mail (if any) for all accounts on the system in one hit. Paul http://paulgear.webhop.net