> >> Hello, >> >> I am trying to block Internet access for people member of one specific >> AD Security group called GSIFBENoInternetAccess but I get some issue >> with it. >> >> When I try the squid_ldap_group process from shell, the mechanism is >> working well. my service account correctly requests our Active Directory >> and gives the right response ERR/OK. >> >> When I try this mechanism from squid process, allow/deny is working well >> but before being blocked by squid_ldap_group I also receive an >> authentication popup box .. I simply press on CANCEL and receives the >> personalized error page. >> >> >> I have read on the net this may come from multiple authentication but I >> do not see this in my case and if this is the case thks to explain me >> what's wrong with this .. Is this coming from the line with ntlmauth >> just afterwards and how is this this possible to make this working >> without the authentication box ?? > >Yes it is. > >> >> # my config >> >> ... >> auth_param ntlm program /usr/local/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 32 >> auth_param ntlm keep_alive on >> acl ntlmauth proxy_auth REQUIRED >> ... >> external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN >> /usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S + >> acl GSIFBENoInternetAccess external gg_nointernet GSIFBENoInternetAccess >> ... > >Replace this: > >> http_access deny GSIFBENoInternetAccess >> deny_info ERR_LDAP GSIFBENoInternetAccess > >with this: > > # maybe needed to force credentials to be present > # > http_access deny !ntlmauth > > # do the group checking and custom denial page > # without another auth popup. > # > acl ldapErrPage src all > deny_info ERR_LDAP ldapErrPage > http_access deny GSIFBENoInternetAccess ldapErrPage > > >> http_access allow ntlmauth >> http_reply_access allow all >> http_access deny all first of all many thks for the quick reply .. I tried your proposal and seems to work. I still have to check everything is ok at ldap and ntlm level but seems well until now .. about your config there is something I do not understand .. when I look at what I tried before, I deny all member of group GSIFBENoInternetAccess before requesting for authentication so afaik processing stops after the first line .. Is this correct and do I say something wrong with this ?? http_access deny GSIFBENoInternetAccess http_access allow ntlmauth http_reply_access allow all http_access deny all when I look at your proposal what I understand, client is first requested with authentication (407), then you simply define an acl matching everything, you deny all member of GSIFBENoInternetAccess for everybody (ldapErrPage is matching in this case 0.0.0.0/0.0.0.0) and last but not least but this part is not clear for me, you request credentials for the second time http_access deny !ntlmauth acl ldapErrPage src all deny_info ERR_LDAP ldapErrPage http_access deny GSIFBENoInternetAccess ldapErrPage http_access allow ntlmauth http_reply_access allow all http_access deny all in other words .... why did you force authentication before and after the ldap group ? I see two times ntlmauth so you should authenticate two times for the same request, right ? why did you define an acl called ldapErrPage, without ldapErrPage is not enough ? many thks for your answers. >> >> >> many thks to help me. >> Vincent. > >Amos >-- >Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 > Current Beta Squid 3.1.0.13 > ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -----------------------------------------------------------------
