Hi, Serassio et al... thank you very much for the pointers. On Monday 19 December 2005 23:42, Serassio Guido wrote: > At 14.01 19/12/2005, Christoph Haas wrote: > > we have just spent two days hunting down a phenomenon regarding > > external ACLs. I suspect a bug so I'll be a bit more verbose. > [...] > You need some simple logical changes in your ACLs, the following > should work, I hope ... :-) > > acl our_networks src put_your_local_network_here > > http_access deny !ldap-auth > http_access deny !ldapgroup-allowed our_networks > http_access allow all If I remember correctly it's always the "last ACL" that finally triggers. So that if I write "http_access deny A B C" it's the 'C' ACL which is the "cause" for the denial (like I need to configure a "deny_info" for the 'C' ACL here to make that work). So if that's true I would have to replace => http_access deny !ldapgroup-allowed ...by... => acl dummy_acl src 0.0.0.0/0.0.0.0 => http_access deny !ldapgroup-allowed dummy_acl ...just to make the "dummy_acl" match without triggering reauthentication? That just looks ugly to me. But okay. :) What's confusing in http://www.squid-cache.org/mail-archive/squid-users/200511/0339.html (Hendrik): | Squid prompts for login credentials if the user is denied access by an | authentication related acl (proxy_auth, proxyauth_regex, external using | %LOGIN). External using %LOGIN? When I use LDAP groups for authorization (not authentication) purposes I need the '%LOGIN'. Example from our configuration: => external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ... I need the '%LOGIN' here since the username is passed to the squid_ldap_group external helper to find out whether the user is member of a certain group. Currently I can't see why this is handled like it's an "authentication". How can I work around this? I'm willing to accept any changes but I'd like to understand the whys and hows. Thanks in advance. Christoph -- ~ ~ ".signature" [Modified] 2 lines --100%-- 2,41 All
