asotopetris wrote :
>
>
>
> Thank you for your reply Klaas, I have the following:
>
> acl unfiltered src 192.168.0.168/32
> acl net_servidores src 192.168.1.0/24
> acl authenticated proxy_auth REQUIRED
>
> http_access allow unfiltered
> http_access allow net_servidores
> http_access allow authenticated

Seems correct.

> 192.168.0.168 is a computer NOT in AD and defined in
> filtergroup2(unfiltered) in DG. But when I surf the web squid request
> user/password to authenticate. I don't want this and happen with above
> configuration.
> Users in AD are authenticated properly and assigned to defined group in
> filtergrouplist.
>
> If I return to my current configuration, IP auth only, everything is ok.


I don't understand why :
* when you disable auth plugins in dansguardian.conf you are not
prompted for auth by squid
* when you enable auth plugins in dansguardian.conf you are prompted for
auth by squid
This is not logical for me because auth is squid dependent so
modification in dansguardian's conf shouldn't have an effect on auth
process.

I would have begin with using directly squid in order to fix squid
configuration problems :
* being sure that you're prompted for user/pass (or ntlm auth) when
surfing from other computers than "servidores" or "unfiltered". In all
cases you should see usernames in squid's access.log
* being sure that you're NOT prompter for user/pass (nor ntlm auth) when
surfing from "unfiltered" and from "servidores". You should not see
usernames in squid's access.log.

Once squid is correctly configured, add DansGuardian and configure it to
do what you want.


Hope this helps.


> I check squid.conf with squid -z after any change and before restart
> squid service.
>
> --- In dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>, walou <c.walou@...> wrote:
> >
> > I think you should play with IP ranges in squid.conf :
> > * machine in AD in IP range 192.168.0.1 => 192.168.0.100
> > * machine NOT in AD in IP range 192.168.0.101 => 192.168.0.200
> > * define an ACL for the subnet not_ad_machines
> > * allow not_ad_machines without password
> > * ask for password for the rest of the subnet
> >
> > acl password proxy_auth REQUIRED
> > acl not_ad_machines 192.168.0.101-192.168.0.200/255.255.255.0
> >
> > http_access allow not_ad_machines
> > http_access allow password
> >
> >
> > should work, implied you've configured an "auth_param" higher in
> squid.conf.
> >
> >
> > Klaas
> >
> >
> >
> > asotopetris wrote :
> > >
> > >
> > >
> > > Hi I have DansGuardian 2.9.9.7 and Squid 2.6.STABLE18 and want to
> deploy
> > > NTLM Auth only for special users any other could be authenticated
> by IP
> > > (this because some clients are logged into Active Directory domain and
> > > some don't). I've configured NTLM and IP Auth separately and
> everything
> > > works very well with each. The problem is when I try to work with
> both.
> > > The main problem is with users who aren't in the domain; they're
> > > requested user/password to proxy auth, and get Squid page "Cache
> Access
> > > Denied" because they don't have user/passwd to type.
> > >
> > > The ideal environment for me is:
> > > Users in domain get identified against squid and DG with NTLM and
> > > assigned to specific group (privileged group – f3 or f4).
> > > Users not in domain get identified by their IP address and assigned to
> > > specific group (f2).
> > > Users not in domain and their IP not in specific group go to
> > > filtergroup1 (Blanked Block).
> > > Considerations: All computers are in the same subnet and IP assigned
> > > with DHCP dynamically.
> > >
> > > squid.conf
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 30
> > > auth_param ntlm keep_alive on
> > >
> > > auth_param basic program /usr/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-basic
> > > auth_param basic realm DansGuardian
> > > auth_param basic children 5
> > > auth_param basic credentialsttl 2 hours
> > >
> > > acl authenticated proxy_auth REQUIRED
> > > acl our_networks src 192.168.0.0/24
> > > http_access allow our_networks
> > > http_access allow authenticate
> > > http_access allow localhos
> > >
> > > dansguardian.conf
> > > authplugin = '/etc/dansguardian/authplugins/ip.conf'
> > > authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
> > > authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
> > >
> > > I really thank your help and advice.
> > >
> > > Alejandro S. P.
> > >
> > >