hello
presently we have working perfectly, basic auth against an ldap query to Active Directory.
so acls:
acl authenticated_user proxy_auth REQUIRED
acl group1 external ...detail of helper and dn of group name etc
At the moment there is
http_access allow authenticated_user group1
http_access deny all
so when a request to go to a site is received, proxy auth is sent and credentials checked and if correct and user in group, access is allowed.
Firstly what happens if I put
http_access allow group1
before the the proxy auth request?
Does it break if the credentials are not already available (cached from some previous time) to pass to the helper, or what?
Secondly, what is the behaviour with multiple acls that refer to different groups? for eg
acl group1 external ... blah blah group reference acl group2 external ...blah blah another group reference acl group3 external ...blah yet another group
Assuming the user is in some of the groups but not others.
If I say
http_access allow authenticated_user group1 http_access allow authenticated_user group2 http_access allow authenticated_user group3 and so on to http_access deny all
Does that force the proxy auth request to be resent each time?
Or are the cached credentials used and then tested against the different groups via the helper as they are encountered in the rules?
If the latter, as I suspect, then can I rewrite the above list as:
http_access allow authenticated_user group1 http_access allow group2 http_access allow group3 etc http_access deny all
And the single, first, instance of the proxy auth request will suffice to establish the credentials, which are then used as required with the further group2, group3 ... decisions?
thanks
rolf.
