Re: [squid-users] deny access with squid_ldap_group

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 19 Sep 2009 01:47:47 +1200

vincent.blondel_at_ing.be wrote:
>>> Hello,
>>>
>>> I am trying to block Internet access for people member of one
> specific
>>> AD Security group called GSIFBENoInternetAccess but I get some issue
>>> with it.
>>>
>>> When I try the squid_ldap_group process from shell, the mechanism is
>>> working well. my service account correctly requests our Active
> Directory
>>> and gives the right response ERR/OK.
>>>
>>> When I try this mechanism from squid process, allow/deny is working
> well
>>> but before being blocked by squid_ldap_group I also receive an
>>> authentication popup box .. I simply press on CANCEL and receives the
>>> personalized error page.
>>>
>>>
>>> I have read on the net this may come from multiple authentication but
> I
>>> do not see this in my case and if this is the case thks to explain me
>>> what's wrong with this .. Is this coming from the line with ntlmauth
>>> just afterwards and how is this this possible to make this working
>>> without the authentication box ??
>> Yes it is.
>>
>>> # my config
>>>
>>> ...
>>> auth_param ntlm program /usr/local/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 32
>>> auth_param ntlm keep_alive on
>>> acl ntlmauth proxy_auth REQUIRED
>>> ...
>>> external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN
>>> /usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S +
>>> acl GSIFBENoInternetAccess external gg_nointernet
> GSIFBENoInternetAccess
>>> ...
>> Replace this:
>>
>>> http_access deny GSIFBENoInternetAccess
>>> deny_info ERR_LDAP GSIFBENoInternetAccess
>> with this:
>>
>> # maybe needed to force credentials to be present
>> #
>> http_access deny !ntlmauth
>>
>> # do the group checking and custom denial page
>> # without another auth popup.
>> #
>> acl ldapErrPage src all
>> deny_info ERR_LDAP ldapErrPage
>> http_access deny GSIFBENoInternetAccess ldapErrPage
>>
>>
>>> http_access allow ntlmauth
>>> http_reply_access allow all
>>> http_access deny all
>
> first of all many thks for the quick reply ..
>
> I tried your proposal and seems to work. I still have to check
> everything is ok at ldap and ntlm level but seems well until now ..
> about your config there is something I do not understand ..
>
> when I look at what I tried before, I deny all member of group
> GSIFBENoInternetAccess before requesting for authentication so afaik
> processing stops after the first line .. Is this correct and do I say
> something wrong with this ??
>
> http_access deny GSIFBENoInternetAccess
> http_access allow ntlmauth
> http_reply_access allow all
> http_access deny all
>
> when I look at your proposal what I understand, client is first
> requested with authentication (407), then you simply define an acl
> matching everything, you deny all member of GSIFBENoInternetAccess for
> everybody (ldapErrPage is matching in this case 0.0.0.0/0.0.0.0) and
> last but not least but this part is not clear for me, you request
> credentials for the second time
>
> http_access deny !ntlmauth
> acl ldapErrPage src all
> deny_info ERR_LDAP ldapErrPage
> http_access deny GSIFBENoInternetAccess ldapErrPage
> http_access allow ntlmauth
> http_reply_access allow all
> http_access deny all
>
> in other words ....
>
> why did you force authentication before and after the ldap group ?

  'allow ntlmauth' will not request authentication from the client browser.

  'deny !ntlmauth' will request authentication is fully *missing*.

  'deny !ntlmauth' will request authentication is not in your user
database.

> I see two times ntlmauth so you should authenticate two times for the
> same request, right ?

No. see above.

> why did you define an acl called ldapErrPage, without ldapErrPage is not
> enough ?

ldapErrPage is a dummy ACL. So that th auth headers/popup dont occur
over your custom page.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Fri Sep 18 2009 - 13:47:56 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT