Eric Van Steenbergen wrote:
> Hello all,
>
> I'm trying to configure Squid to ask for authentication using LDAP but
> ONLY on one cache_peer. Before I had it activated on all servers and
> it worked perfectly. All the other webservers however have their own
> authentication except this wiki.
>
> This is what I have in my squid.conf in regards to this particular site.
> Code:
>
> cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki
>
> acl site_wiki dstdomain wiki.tradisa.com
> cache_peer_access wiki allow site_wiki
> auth_param basic program /lib/squid3/squid_ldap_auth -R -b
> "dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "ldapuser"
> -f sAMAccountName=%s -h 172.25.XXX.XXX
>
> auth_param basic children 1
> auth_param basic credentialsttl 5 minutes
> cache_peer_access wiki deny all
> acl wiki_users proxy_auth REQUIRED
> cache_peer_access wiki allow wiki_users
Taking the above config and erasing unused lines we end up with:
cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki
acl site_wiki dstdomain wiki.tradisa.com
cache_peer_access wiki allow site_wiki
cache_peer_access wiki deny all
>
>
> http_access allow wiki_users
>
> http_access deny all
>
> however I go straight to the website without it asking for
> authentication. If I put in the http_access rules as at the end of the
> 'code' part then authentication gets asked for all the sites. How
> would I go about just configuring this one server so that it asks for
> authentication?
You are missing all sorts of important config lines. Such as whether or
not any other peers of this proxy are accepting site_wiki traffic
>
> LDAP authentication is working perfectly, it's just an error in my
> definition as stated above. I'm missing something but I cannot see it.
> Of course IPs and names have been changed before posting.
>
> All help is greatly appreciated.
http://wiki.squid-cache.org/SquidFaq/SquidAcl
cache_peer_access is a 'fast' group ACL. It cannot kick off and wait for
authentication.
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs
Authentication needs to happen in the http_access instead.
cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki
cache_peer_access wiki allow site_wiki
cache_peer_access wiki deny all
http_access allow site_wiki wiki_users
To safely operate your Squid you _really_ need to know how that works
and why:
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15Received on Tue Nov 24 2009 - 08:06:11 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST