Hi, At 12.25 20/12/2005, Christoph Haas wrote:
If I remember correctly it's always the "last ACL" that finally triggers. So that if I write "http_access deny A B C" it's the 'C' ACL which is the "cause" for the denial (like I need to configure a "deny_info" for the 'C' ACL here to make that work). So if that's true I would have to replace => http_access deny !ldapgroup-allowed ...by... => acl dummy_acl src 0.0.0.0/0.0.0.0 => http_access deny !ldapgroup-allowed dummy_acl ...just to make the "dummy_acl" match without triggering reauthentication? That just looks ugly to me. But okay. :)
Correct, similar to my example.
What's confusing in http://www.squid-cache.org/mail-archive/squid-users/200511/0339.html (Hendrik): | Squid prompts for login credentials if the user is denied access by an | authentication related acl (proxy_auth, proxyauth_regex, external using | %LOGIN). External using %LOGIN? When I use LDAP groups for authorization (not authentication) purposes I need the '%LOGIN'. Example from our configuration: => external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ... I need the '%LOGIN' here since the username is passed to the squid_ldap_group external helper to find out whether the user is member of a certain group. Currently I can't see why this is handled like it's an "authentication". How can I work around this?
After this patch, when you are using an external ACL with %LOGIN, you don't need anymore the "http_access deny !ldap-auth" line, because the authentication is triggered automatically, so your config will be:
========================== external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ... auth_param basic program /usr/lib/squid/ldap_auth ... acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED acl dummy_acl src 0.0.0.0/0.0.0.0 http_access deny !ldapgroup-allowed dummy_acl http_access allow all ==========================
I'm willing to accept any changes but I'd like to understand the whys and hows. Thanks in advance.
After this change, we can choice if have or don't have a new authentication prompt after an external ACL deny. Before, this cannot be done.
Regards Guido - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/
