-----Original Message----- From: squid3@xxxxxxxxxxxxx [mailto:squid3@xxxxxxxxxxxxx] Sent: 06 July 2007 00:22 >To: Christian Vallant >Cc: squid-users@xxxxxxxxxxxxxxx >Subject: Re: Squid ACL > >> Hello, >> >> i need to solve following problem. >> I have an ldap-server, which i use to authenticate the user. >> If the user is in the group, he has access to the group A. If the >> authentications fails, he has access to the group B. >> >> Can anyone tell me, how i can solve this problem. >> >> I have already have an authentication, but the problem is, that if the >> user tries to authenticate, but he has no rights, the >> authentication-window >> comes again and again. But the user has to be in the group >> to_domains_without_auth and the other domains should be blocked. >> >> So, the relevant code looks like: >> >> auth_param basic program /etc/squid/ldapauth.pl >> acl for_inetusers proxy_auth REQUIRED >> >> acl to_domains_without_auth dstdomain >> "/var/ipcop/proxy/advanced/acls/dst_noauth >> .acl" >> >> >> Can anyone help me? >> > >Check the order of http_access * lines in your squid.conf. >They are processed in order, and for_inetusers needs to be preceeded by >any ACL that allow people through without Auth. > >For example: > >http_access allow anybody_without_auth >http_access allow for_inetusers >http_access deny all > >Amos Remember for rules to work effectively, at least one of them has to be true. I suspect this is why your authentication window keeps popping up. For example if someone isn't in the inetusers group, the result of the line http_access allow for_inetusers will be false and it will move on to the next line. You need the users to match a deny rule to stop the request being processed and output a squid error page to the user. The deny all rule should suffice. Hope this makes sense.
