Hi Amos, The changes you suggested worked perfectly. Thankyou. What I'm not quite sure of is why. I assume in this context, the "all" at the end of the line is not acting as a user list, but a URL list or something else? Regards, Dion -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" <BeauglehallD@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi, > > I’m configuring a squid proxy box with LDAP authentication, and ACLs based > on LDAP groups. I have the LDAP authentication working, as are groups. > > However, when I add a user to an “Access Denied” group, squid then causes > the browser to bring up a authentication dialog box. Most squid installs I > have seen bring up a squid “Cache Access Denied” screen at this point. > This is what I would like it to do. > > I am unsure if what I am experiencing is expected behaviour, or whether I > have an error in my config file. > > I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines > from squid.conf are below. Note that the LDAP works correctly, and so I > have not provided details. What is not acting as I expected is the > behaviour of Squid when it hits the “http_access deny accessdenied” line. > This seems to be what re-challenges the browser. > > As we are a school, we need to ensure that both the user is a valid user > (from the initial challenge, which collects their machine login, invisible > to the user), and that they have not been denied for some reason (hence the > denied group). The re-challenge will lead to students logging into squid > with their friends account. A Cache Access Denied screen is a much better > alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. > > Note that once I have this working, there will be other “denied” groups to > deny on, prior to allowing access. > > Any suggestions or ideas are appreciated. > > Regards, > Dion > > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ...... > auth_param basic children 5 > auth_param basic realm VSC > auth_param basic credentialsttl 5 minutes > > external_acl_type ldapgroup &LOGIN ...... > > acl ldap-auth proxy_auth REQUIRED > > acl accessdenied external ldapgroup InternetAccessDeny > acl accessallowed external ldapgroup InternetAccess > > http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the "Access Denied" page instead of a challenge. Any other denied groups need to go in here one to a line with "all" at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. > http_access allow accessallowed > http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall ---
