Guido... (sorry for the name mixup but you swapped the first and last name of your real name) On Tuesday 20 December 2005 17:12, Serassio Guido wrote: > At 12.25 20/12/2005, Christoph Haas wrote: > >I need the '%LOGIN' here since the username is passed to the > >squid_ldap_group external helper to find out whether the user is member > > of a certain group. Currently I can't see why this is handled like > > it's an "authentication". How can I work around this? > > After this patch, when you are using an external ACL with %LOGIN, you > don't need anymore the "http_access deny !ldap-auth" line, because > the authentication is triggered automatically, so your config will be: > > ========================== > external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ... > > auth_param basic program /usr/lib/squid/ldap_auth ... > > acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED > acl dummy_acl src 0.0.0.0/0.0.0.0 > > http_access deny !ldapgroup-allowed dummy_acl > http_access allow all > ========================== Makes sense. That has probably worked before, too, since LDAP_group needed the user name (%LOGIN) to decide whether the ACL matches. But now it's clear (to me). > After this change, we can choice if have or don't have a new > authentication prompt after an external ACL deny. Before, this cannot be > done. Currently I don't have a use for that feature. But perhaps one day I'll be more thankful for it. Thanks for your time. Christoph -- ~ ~ ".signature" [Modified] 1 line --100%-- 1,48 All
