Upgrade mswin_sspi_auth to ntlm_sspi_auth

[thirdparty/squid.git] / helpers / ntlm_auth / SSPI / ntlm_sspi_auth.8

.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8
.
.SH NAME
.if !'po4a'hide' .B ntlm_sspi_auth.exe
.if !'po4a'hide' \-
Native Windows NTLM/NTLMv2 authenticator for Squid with
automatic support for NTLM NEGOTIATE packets.
.PP
Version 1.22
.
.SH SYNOPSIS
.if !'po4a'hide' .B ntlm_sspi_auth.exe
.if !'po4a'hide' .B "[\-dhv] [\-A "
Group Name
.if !'po4a'hide' .B "] [\-D "
Group Name
.if !'po4a'hide' .B "]"
.
.SH DESCRIPTION
.B ntlm_sspi_auth.exe
is an installed binary built on Windows systems. It provides native access to the
Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2.
It has automatic support for NTLM NEGOTIATE packets.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-d
Write debug info to stderr.
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.if !'po4a'hide' .B \-v
Enables verbose NTLM packet debugging.
.if !'po4a'hide' .B \-A
Specify a Windows Local Group name allowed to authenticate.
.if !'po4a'hide' .B \-D
Specify a Windows Local Group name which is to be denied authentication.
.
.SH CONFIGURATION
.PP Allowing Users
.PP
Users that are allowed to access the web proxy must have the Windows NT
User Rights "logon from the network".
.PP
Optionally the authenticator can verify the NT LOCAL group membership of
the user against the User Group specified in the Authenticator's command
line.
.PP
This can be accomplished creating a local user group on the NT machine,
grant the privilege, and adding users to it, it works only with MACHINE
Local Groups, not Domain Local Groups.
.PP
Better group checking is available with External Acl, see mswin_check_group
documentation.
.PP
.B squid.conf
typical minimal required changes:
.if !'po4a'hide' .RS
.if !'po4a'hide' auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
.if !'po4a'hide' auth_param ntlm children 5
.if !'po4a'hide' 
.if !'po4a'hide' acl password proxy_auth REQUIRED
.if !'po4a'hide' 
.if !'po4a'hide' http_access allow password
.if !'po4a'hide' http_access deny all
.
.PP Refer to Squid documentation for more details.
.
.PP
Internet Explorer has some problems with 
.B ftp:// 
URLs when handling internal Squid FTP icons.
The following 
.B squid.conf 
ACL works around this when placed before the authentication ACL:
.if !'po4a'hide' .RS
.if !'po4a'hide' acl internal_icons urlpath_regex -i /squid-internal-static/icons/
.if !'po4a'hide' 
.if !'po4a'hide' http_access allow our_networks internal_icons
.
.SH AUTHOR
This program was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.PP
Based on prior work in by
.if !'po4a'hide' .I Francesco Chemolli <kinkie@squid-cache.org>
.if !'po4a'hide' .I Robert Collins <lifeless@squid-cache.org>
.PP
This manual was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
.
.SH COPYRIGHT
This program and documentation is copyright to the authors named above.
.PP
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@squid-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using http://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR GPL "(7), "
.br
The Squid FAQ wiki
.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/