hello
I cannot seem to get an ACL sequence to work as I expect it to (using
2.6stable9).
I have right at the start of the config:
acl authenticated_user proxy_auth REQUIRED
then
acl no_auth_unrestricted dstdomain "/usr/local/squid/
no_authentication_required"
http_access allow no_auth_unrestricted
the file referenced contains a simple list of domain names.
Further down I have a reference to an Active Directory Group
membership test:
acl ge_users external ADdomainGroup
cn=GEUsers,cn=users,dc=example,dc=com
acl ge_sites "/usr/local/squid/ge_sites"
http_access allow ge_users ge_sites authenticated_user
The external acl ADdomainGroup is defined as:
external_acl_type ADdomainGroup ttl=900 %LOGIN /usr/lib/squid/
squid_ldap_group -b "<searchbase>" -f (&(cn=%u)(memberOf=%g)
) -H "ldap://ldaphost1/ ldap://;ldaphost2/"; -S -D <bindUsername> -
w"password"
The checking of group membership against AD has worked perfectly for
years and has never been an issue.
If I try to go to a site in the "no authentication required" list at
the top I simply get a 403 in the logs and the "access control
prevents access" etc message. Why does it not simply allow the request?
If I then go to a site that requires authentication, not necessarily
the "ge_sites", but any other allow that has authenticated_user as
part of the conditions, then the 407 is sent, I enter the credentials
and get to the site. Then returning to try a site as above that does
not require auth, the site loads ok and the logs show the browser has
sent the credentials.
If I remove the acl and http_access for ge_users that talks to AD, the
sites requiring no authentication load as expected without need to
send credentials.
How do I arrange the ACLs so that sites that require no authentication
get allowed?
I have tried looking at the output of debug_options ALL,1 33,2 but
have not been able to find the problem.
many thanks
rolf.
