On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall" <beauglehalld@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi Amos, > > The changes you suggested worked perfectly. Thankyou. What I'm not quite > sure of is why. I assume in this context, the "all" at the end of the line > is not acting as a user list, but a URL list or something else? It's an IP-based test doing a very fast catch-all. This changing the type of ACL last seen at denial so Squid does not equate the deny with unusable credentials and re-challenge. Amos > > Regards, > Dion > > > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Thursday, 10 September 2009 11:30 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Squid/LDAP re-challenges browser on http_access > deny > > On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" > <BeauglehallD@xxxxxxxxxxxxxxxxxxxx> wrote: >> Hi, >> >> I’m configuring a squid proxy box with LDAP authentication, and ACLs > based >> on LDAP groups. I have the LDAP authentication working, as are groups. >> >> However, when I add a user to an “Access Denied” group, squid then causes >> the browser to bring up a authentication dialog box. Most squid installs > I >> have seen bring up a squid “Cache Access Denied” screen at this point. >> This is what I would like it to do. >> >> I am unsure if what I am experiencing is expected behaviour, or whether I >> have an error in my config file. >> >> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >> from squid.conf are below. Note that the LDAP works correctly, and so I >> have not provided details. What is not acting as I expected is the >> behaviour of Squid when it hits the “http_access deny accessdenied” line. > >> This seems to be what re-challenges the browser. >> >> As we are a school, we need to ensure that both the user is a valid user >> (from the initial challenge, which collects their machine login, > invisible >> to the user), and that they have not been denied for some reason (hence > the >> denied group). The re-challenge will lead to students logging into squid >> with their friends account. A Cache Access Denied screen is a much > better >> alternative. > > Yes it was a config issue. > Re-writing your ACLs slightly to follow that exact logic as described above > should solve your problem. > >> >> Note that once I have this working, there will be other “denied” groups > to >> deny on, prior to allowing access. >> >> Any suggestions or ideas are appreciated. >> >> Regards, >> Dion >> >> >> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ...... >> auth_param basic children 5 >> auth_param basic realm VSC >> auth_param basic credentialsttl 5 minutes >> >> external_acl_type ldapgroup &LOGIN ...... >> >> acl ldap-auth proxy_auth REQUIRED >> >> acl accessdenied external ldapgroup InternetAccessDeny >> acl accessallowed external ldapgroup InternetAccess >> >> http_access deny accessdenied > > Change the above line to: > http_access deny accessdenied all > > ... which will produce the "Access Denied" page instead of a challenge. > > Any other denied groups need to go in here one to a line with "all" at the > end of each line. > > > After all them add a new line: > http_access deny !ldap-auth > > ... which will cause Squid to challenge if no credentials are given yet. > People who have given _any_ valid credentials will not be asked twice. > This action was being done as side-effect of the accessdenied ACL test, but > with the new version it needs to be done separately. > > >> http_access allow accessallowed >> http_access deny all > > > Amos > > --- Scanned by M+ Guardian Messaging Firewall ---
