Rolf Loudon wrote:
hello
I cannot seem to get an ACL sequence to work as I expect it to (using
2.6stable9).
I have right at the start of the config:
acl authenticated_user proxy_auth REQUIRED
then
acl no_auth_unrestricted dstdomain
"/usr/local/squid/no_authentication_required"
http_access allow no_auth_unrestricted
the file referenced contains a simple list of domain names.
Further down I have a reference to an Active Directory Group membership
test:
acl ge_users external ADdomainGroup cn=GEUsers,cn=users,dc=example,dc=com
acl ge_sites "/usr/local/squid/ge_sites"
http_access allow ge_users ge_sites authenticated_user
The external acl ADdomainGroup is defined as:
external_acl_type ADdomainGroup ttl=900 %LOGIN
/usr/lib/squid/squid_ldap_group -b "<searchbase>" -f (&(cn=%u)(memberOf=%g)
) -H "ldap://ldaphost1/ ldap://;ldaphost2/"; -S -D <bindUsername>
-w"password"
The checking of group membership against AD has worked perfectly for
years and has never been an issue.
If I try to go to a site in the "no authentication required" list at the
top I simply get a 403 in the logs and the "access control prevents
access" etc message. Why does it not simply allow the request?
It should be by those details above.
What exact URI is failing and what entry is supposed to match it in the
file no_authentication_required?
If I then go to a site that requires authentication, not necessarily the
"ge_sites", but any other allow that has authenticated_user as part of
the conditions, then the 407 is sent, I enter the credentials and get to
the site. Then returning to try a site as above that does not require
auth, the site loads ok and the logs show the browser has sent the
credentials.
Hmm, something elsewhere down a bit that you are not expecting to have
any connection is causing the authorized allow (second time).
If I remove the acl and http_access for ge_users that talks to AD, the
sites requiring no authentication load as expected without need to send
credentials.
Same thing as when authorized is allowing them. Still no sign of
no_authentication_required actually working.
How do I arrange the ACLs so that sites that require no authentication
get allowed?
I think you got the order right, just not the ACL content you need.
The most common mistake with dstdomain is thinking that "dstdomain
example.com" will match domains like www.example.com.
For that you need to start the partial-domain with a dot
ie. "dstdomain .example.com"
I have tried looking at the output of debug_options ALL,1 33,2 but have
not been able to find the problem.
debug_options ALL,1 28,6 will show you the access controls in detail.
Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5
