Squid_ The Definitive Guide - Duane Wessels [114]
TT challenge
A helper sends this message back to Squid and includes a challenge token. It is sent in response to a YR request. The challenge is base64-encoded, as defined by RFC 2045.
KK credentials
Squid sends this to a helper when it wants to authenticate a user's credentials. The helper responds with either AF, NA, BH, or LD.
AF username
The helper sends this message back to Squid when the user's authentication credentials are valid. The helper sends the username with this message because Squid doesn't try to decode the NTLM Authorization header.
NA reason
The helper sends this message back to Squid when the user's credentials are invalid. It also includes a "reason" string that Squid can display on an error page.
BH reason
The helper sends this message back to Squid when the validation procedure fails. This might happen, for example, when the helper process is unable to communicate with a Windows NT domain controller. Squid rejects the user's request.
LD username
This helper-to-Squid response is similar to BH, except that Squid allows the user's request. Like AF, it returns the username. To use this feature, you must compile Squid with the —enable-ntlm-fail-open option.
Since this protocol is relatively complicated, you'll probably be better off to start with one of the two skeleton authenticators included in the Squid source distribution. The no_check helper is written in Perl, and fakeauth is written in C. You can find them in the helpers/ntlm_auth directory.
* * *
[2] NTLM apparently stands for "NT LanMan" or perhaps "NT Lan Manager."
External ACLs
As of Version 2.5, Squid includes a new feature known as external ACLs. These are ACL elements that are implemented in external helper processes. You instruct Squid to write certain information to the helper, which then responds with either OK or ERR. Refer to Section 6.1.3 for a description of the external_acl_type syntax. Here, I'll only discuss the particular external ACL helper programs that come with the Squid source code.
ip_user
./configure —enable-external-acl-helpers=ip_user
This helper reads usernames and client IP addresses as input. It checks the two values against a configuration file to decide whether or not the combination is valid. To use this ACL helper, you would add lines like this to squid.conf:
external_acl_type ip_user_helper %SRC %LOGIN
/usr/local/squid/libexec/ip_user -f /usr/local/squid/etc/ip_user.conf
acl AclName external ip_user_helper
%SRC is replaced with the client's IP address and %LOGIN is replaced with the username for each request. The ip_user.conf configuration file has the following format:
ip_addr[/mask] user|@group|ALL|NONE
For example:
127.0.0.1 ALL
192.168.1.0/24 bob
10.8.1.0/24 @lusers
172.16.0.0/16 NONE
This configuration file causes ip_user to return OK for any request coming from 127.0.0.1, for Bob's requests coming from the 192.168.1.0/24 network, for any name in the luser group when the request comes from the 10.8.1.0/24 network, and returns ERR for any request from the 172.16.0.0/16 network. It also returns ERR for any address and username pair that doesn't appear in the list.
ldap_group
./configure —enable-external-acl-helpers=ldap_group
This helper determines whether or not a user belongs to a particular LDAP group. You specify the LDAP group names on the acl line. It might look like this in your configuration file:
external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group
-b "ou=people,dc=example,dc=com" ldap.example.com
acl AclName external ldap_group_helper GroupRDN ...
Note that you must have the OpenLDAP (http://www.openldap.org) libraries installed on your system to compile the squid_ldap_group helper program.
unix_group