Re: [squid-users] authenticate_ttl not working

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 10 Dec 2002 02:27:14 +0100

On Tuesday 10 December 2002 02.01, Lee, Jason wrote:

> I am unsure how the external_acl_type fits in with the current
> auth_param. How/Where do you actually specify a group to check if
> you are a member. How do you get a custom error message back to
> the browser.

Both proxy_auth and external_acl_type using %LOGIN in the format
specification is users of the authentication schemes configured by
auth_param.

proxy_auth matches individual user names.

external_acl_type sends the configured data (username + group for
group helpers) external helper which is responsible for verifying if
the data is true or false.

In both cases the user will be asked to authenticate himself if not
yet authenticated.

The group to check membership can either be specifiec in the
external_acl_type directive as command line options to the selected
helper, or more preferred via the acl diretive conneting to the
external_acl_type. By using the acl directive for specifying the
group(s) you can reuse the same external_acl_type definition for
multiple different groups, hence the name "external_acl_type"
(defines a new type of acl, using a helper to verify it it is a match
or not).

Returing custom error messages is done by the deny_info directive.
Works identical for all the acl types except for a small difference
on proxy_auth type acls where the user will be asked to
reauthenticate if denied by a proxy_auth type acl and the custom
message is only visible if the login request is cancelled (does not
external acls at this time. there the user will simply be denied
access).

Regards
Henrik
Received on Mon Dec 09 2002 - 18:27:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:56 MST