On Fri, 18 Mar 2005, Rolf wrote:
Firstly what happens if I put
http_access allow group1
before the the proxy auth request?
Does it break if the credentials are not already available (cached from some previous time) to pass to the helper, or what?
No. both proxy_auth acls and external acls using an external_acl_type with %LOGIN requests authentication if the user is not yet authenticated. Any kind of acl looking at the login name will trigger authentication if the user is not already authenticated.
Secondly, what is the behaviour with multiple acls that refer to different groups? for eg
acl group1 external ... blah blah group reference acl group2 external ...blah blah another group reference acl group3 external ...blah yet another group
It works.
But the syntax is
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group options_for_dn etc...
acl group1 external ldap_group group name(s)
http_access allow authenticated_user group1 http_access allow authenticated_user group2 http_access allow authenticated_user group3
This works, but as mentioned above the authenticated_user acl is redundant. In addition these can all be joined as a single acl matching all three groups if you prefer.
acl full_access_groups external ldap_group GroupName1 GroupName2 GroupName3 http_access allow full_access_groups
Does that force the proxy auth request to be resent each time?
Authentication requests is sent automatically by Squid when needed when you use a acls requiring authentication.
Regards Henrik
