Squid ACL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid ACL

Christian Vallant
Hello,

i need to solve following problem.
I have an ldap-server, which i use to authenticate the user.
If the user is in the group, he has access to the group A. If the
authentications fails, he has access to the group B.

Can anyone tell me, how i can solve this problem.

I have already have an authentication, but the problem is, that if the
user tries to authenticate, but he has no rights, the authentication-window
comes again and again. But the user has to be in the group
to_domains_without_auth and the other domains should be blocked.

So, the relevant code looks like:

auth_param basic program /etc/squid/ldapauth.pl
acl for_inetusers proxy_auth REQUIRED

acl to_domains_without_auth dstdomain
"/var/ipcop/proxy/advanced/acls/dst_noauth
                 .acl"


Can anyone help me?

Best regards
Christian

Reply | Threaded
Open this post in threaded view
|

Re: Squid ACL

Amos Jeffries
Administrator
> Hello,
>
> i need to solve following problem.
> I have an ldap-server, which i use to authenticate the user.
> If the user is in the group, he has access to the group A. If the
> authentications fails, he has access to the group B.
>
> Can anyone tell me, how i can solve this problem.
>
> I have already have an authentication, but the problem is, that if the
> user tries to authenticate, but he has no rights, the
> authentication-window
> comes again and again. But the user has to be in the group
> to_domains_without_auth and the other domains should be blocked.
>
> So, the relevant code looks like:
>
> auth_param basic program /etc/squid/ldapauth.pl
> acl for_inetusers proxy_auth REQUIRED
>
> acl to_domains_without_auth dstdomain
> "/var/ipcop/proxy/advanced/acls/dst_noauth
>                  .acl"
>
>
> Can anyone help me?
>

Check the order of http_access * lines in your squid.conf.
They are processed in order, and for_inetusers needs to be preceeded by
any ACL that allow people through without Auth.

For example:

http_access allow anybody_without_auth
http_access allow for_inetusers
http_access deny all

Amos

Reply | Threaded
Open this post in threaded view
|

RE: Squid ACL

Mark Barlow
-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: 06 July 2007 00:22

>To: Christian Vallant
>Cc: [hidden email]
>Subject: Re: [squid-users] Squid ACL
>
>> Hello,
>>
>> i need to solve following problem.
>> I have an ldap-server, which i use to authenticate the user.
>> If the user is in the group, he has access to the group A. If the
>> authentications fails, he has access to the group B.
>>
>> Can anyone tell me, how i can solve this problem.
>>
>> I have already have an authentication, but the problem is, that if the
>> user tries to authenticate, but he has no rights, the
>> authentication-window
>> comes again and again. But the user has to be in the group
>> to_domains_without_auth and the other domains should be blocked.
>>
>> So, the relevant code looks like:
>>
>> auth_param basic program /etc/squid/ldapauth.pl
>> acl for_inetusers proxy_auth REQUIRED
>>
>> acl to_domains_without_auth dstdomain
>> "/var/ipcop/proxy/advanced/acls/dst_noauth
>>                  .acl"
>>
>>
>> Can anyone help me?
>>
>
>Check the order of http_access * lines in your squid.conf.
>They are processed in order, and for_inetusers needs to be preceeded by
>any ACL that allow people through without Auth.
>
>For example:
>
>http_access allow anybody_without_auth
>http_access allow for_inetusers
>http_access deny all
>
>Amos

Remember for rules to work effectively, at least one of them has to be true.
I suspect this is why your authentication window keeps popping up. For
example if someone isn't in the inetusers group, the result of the line
http_access allow for_inetusers will be false and it will move on to the
next line.  You need the users to match a deny rule to stop the request
being processed and output a squid error page to the user.  The deny all
rule should suffice.

Hope this makes sense.