Evening... we have just spent two days hunting down a phenomenon regarding external ACLs. I suspect a bug so I'll be a bit more verbose. In our current setup (Squid 2.5.9 / Debian Sarge) we run a pretty complex configuration with LDAP authentication and multiple external squid_ldap_group calls for certain authorizations from LDAP groups. While I was playing with a few changes on a test server (running Squid 2.5.12 fro Debian Sid) I quickly found out that thing didn't work the way that they did before. Especially the user was prompted to re-authenticate (407) time and again without an obvious reason because the credentials were okay. After tracking it down I ended up with a rather simple configuration that worked well on a Squid 2.5.9 but not on a Squid 2.5.12. These are the relevant parts of the squid.conf: ========================== external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ... auth_param basic program /usr/lib/squid/ldap_auth ... acl ldap-auth proxy_auth REQUIRED acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED http_access deny !ldap-auth http_access deny !ldapgroup-allowed http_access allow all ========================== On a 2.5.9 if the user is not member of the group "PROXY_ALLOWED" but authenticates correctly I get this correct log entry: 1134746078.117 42 127.0.0.1 TCP_DENIED/403 2557 GET http://www.domain.com/ chris NONE/- text/html The cache.log (with ACL debugging enabled) reads: The request GET http://www.domain.com/ is DENIED, because it matched 'ldapgroup-allowed' So this is correct. The "http_access deny ldapgroup-allowed" denies the access, the user gets an error page and the code 403 is logged. Whereas on a 2.5.12 the user who is not member of the "PROXY_ALLOWED" group will be prompted for the password time and again. The access.log reads: 1134746808.068 34 10.0.0.1 TCP_DENIED/407 2675 GET http://www.domain.com/ chris NONE/- text/html (Note the 407!) The cache.log (with ACL debugging enabled) reads: The request GET http://www.domain.com/ is DENIED, because it matched 'ldapgroup-allowed' So it appears like the very same "http_access" line is matching but not giving back a 403 but rather a 407. I'd like to hear comments. Perhaps the developers have an idea what may have changed between stable 9 and stable 12 that could cause this. Thanks in advance. Christoph P.S.: Bear with me if the config contains typos. I mangled it to hide some of our configuration internals. :) -- ~ ~ ".signature" [Modified] 1 line --100%-- 1,48 All
