On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall"
<BeauglehallD_at_vermontsc.vic.edu.au> wrote:
> Hi,
>
> I’m configuring a squid proxy box with LDAP authentication, and ACLs
based
> on LDAP groups. I have the LDAP authentication working, as are groups.
>
> However, when I add a user to an “Access Denied” group, squid then causes
> the browser to bring up a authentication dialog box. Most squid installs
I
> have seen bring up a squid “Cache Access Denied” screen at this point.
> This is what I would like it to do.
>
> I am unsure if what I am experiencing is expected behaviour, or whether I
> have an error in my config file.
>
> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines
> from squid.conf are below. Note that the LDAP works correctly, and so I
> have not provided details. What is not acting as I expected is the
> behaviour of Squid when it hits the “http_access deny accessdenied” line.
> This seems to be what re-challenges the browser.
>
> As we are a school, we need to ensure that both the user is a valid user
> (from the initial challenge, which collects their machine login,
invisible
> to the user), and that they have not been denied for some reason (hence
the
> denied group). The re-challenge will lead to students logging into squid
> with their friends account. A Cache Access Denied screen is a much
better
> alternative.
Yes it was a config issue.
Re-writing your ACLs slightly to follow that exact logic as described above
should solve your problem.
>
> Note that once I have this working, there will be other “denied” groups
to
> deny on, prior to allowing access.
>
> Any suggestions or ideas are appreciated.
>
> Regards,
> Dion
>
>
> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ......
> auth_param basic children 5
> auth_param basic realm VSC
> auth_param basic credentialsttl 5 minutes
>
> external_acl_type ldapgroup &LOGIN ......
>
> acl ldap-auth proxy_auth REQUIRED
>
> acl accessdenied external ldapgroup InternetAccessDeny
> acl accessallowed external ldapgroup InternetAccess
>
> http_access deny accessdenied
Change the above line to:
http_access deny accessdenied all
... which will produce the "Access Denied" page instead of a challenge.
Any other denied groups need to go in here one to a line with "all" at the
end of each line.
After all them add a new line:
http_access deny !ldap-auth
... which will cause Squid to challenge if no credentials are given yet.
People who have given _any_ valid credentials will not be asked twice.
This action was being done as side-effect of the accessdenied ACL test, but
with the new version it needs to be done separately.
> http_access allow accessallowed
> http_access deny all
Amos
Received on Thu Sep 10 2009 - 01:30:00 MDT
This archive was generated by hypermail 2.2.0 : Mon Sep 14 2009 - 12:00:03 MDT