[squid-users] Auth loop for non ActiveDirectory members

From: Christian Scholz <squid-cache_at_2nibbles4u.de>
Date: Wed, 15 Jan 2014 20:40:16 +0100

Hello together,

I'm new on this list therefore I want to introduce myself shortly. My
Name is Christian and I'm working in a IT department.
Currently I'm setting up a squid3 (3.1.20-2.2) proxy connected with the
MS ActiveDirectory. Kerberos, NTLM and Basic authentication are already
working fine.

Now I've problems to set up the acls. Computer and users which are
member of the domain have no problems to authenticate.
But when I use a computer, which is not part of the ActiveDirectory the
auth dialog pops up again and again. I've tried it with firefox,
internet explorer and google chrome. With firefox I've to type in the
credentials for every request. For google.com it means 10 times or so.
With IE and Google Chrome the user can't authenticate even if the
credentials are correct.

Concerning the acls I use the following:

   # Authentication required, otherwise Pop-Up
   acl Authenticated_Users proxy_auth REQUIRED
   http_access deny !Authenticated_Users

   acl Internet_Users external ldap_group Internet_Users
   http_access allow Internet_Users

   http_access deny all

Under http://wiki.squid-cache.org/Features/Authentication I've read the
part about auth loops. But I'm not sure if I've understood them
correctly. My understanding is that an acl which based on proxy_auth,
proxyauth_regex, or an external using %LOGIN shouldn't be the last entry
in http_access like I've done it above. But then the following example
should be correct:

   acl Authenticated_Users proxy_auth REQUIRED
   acl dummy_acl src 254.254.254.254/32

   http_access deny !Authenticated_Users dummy_acl
   http_access allow Authenticated_Users all

   http_access deny all

Is there anything other that I'm doing wrong? I am grateful for any
help.
Received on Wed Jan 15 2014 - 19:40:21 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 16 2014 - 12:00:05 MST