[squid-users] deny access with squid_ldap_group

From: <vincent.blondel_at_ing.be>
Date: Wed, 16 Sep 2009 10:32:19 +0200

Hello,

I am trying to block Internet access for people member of one specific
AD Security group called GSIFBENoInternetAccess but I get some issue
with it.

When I try the squid_ldap_group process from shell, the mechanism is
working well. my service account correctly requests our Active Directory
and gives the right response ERR/OK.

When I try this mechanism from squid process, allow/deny is working well
but before being blocked by squid_ldap_group I also receive an
authentication popup box .. I simply press on CANCEL and receives the
personalized error page.

I have read on the net this may come from multiple authentication but I
do not see this in my case and if this is the case thks to explain me
what's wrong with this .. Is this coming from the line with ntlmauth
just afterwards and how is this this possible to make this working
without the authentication box ??

# my config

...
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 32
auth_param ntlm keep_alive on
acl ntlmauth proxy_auth REQUIRED
...
external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN
/usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S +
acl GSIFBENoInternetAccess external gg_nointernet GSIFBENoInternetAccess
...
http_access deny GSIFBENoInternetAccess
deny_info ERR_LDAP GSIFBENoInternetAccess
http_access allow ntlmauth
http_reply_access allow all
http_access deny all

many thks to help me.
Vincent.
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Wed Sep 16 2009 - 08:32:28 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 16 2009 - 12:00:03 MDT