vincent.blondel@xxxxxx wrote:
Hello,
I am trying to block Internet access for people member of one
specific
AD Security group called GSIFBENoInternetAccess but I get some issue
with it.
When I try the squid_ldap_group process from shell, the mechanism is
working well. my service account correctly requests our Active
Directory
and gives the right response ERR/OK.
When I try this mechanism from squid process, allow/deny is working
well
but before being blocked by squid_ldap_group I also receive an
authentication popup box .. I simply press on CANCEL and receives the
personalized error page.
I have read on the net this may come from multiple authentication but
I
do not see this in my case and if this is the case thks to explain me
what's wrong with this .. Is this coming from the line with ntlmauth
just afterwards and how is this this possible to make this working
without the authentication box ??
Yes it is.
# my config
...
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 32
auth_param ntlm keep_alive on
acl ntlmauth proxy_auth REQUIRED
...
external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN
/usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S +
acl GSIFBENoInternetAccess external gg_nointernet
GSIFBENoInternetAccess
...
Replace this:
http_access deny GSIFBENoInternetAccess
deny_info ERR_LDAP GSIFBENoInternetAccess
with this:
# maybe needed to force credentials to be present
#
http_access deny !ntlmauth
# do the group checking and custom denial page
# without another auth popup.
#
acl ldapErrPage src all
deny_info ERR_LDAP ldapErrPage
http_access deny GSIFBENoInternetAccess ldapErrPage
http_access allow ntlmauth
http_reply_access allow all
http_access deny all
first of all many thks for the quick reply ..
I tried your proposal and seems to work. I still have to check
everything is ok at ldap and ntlm level but seems well until now ..
about your config there is something I do not understand ..
when I look at what I tried before, I deny all member of group
GSIFBENoInternetAccess before requesting for authentication so afaik
processing stops after the first line .. Is this correct and do I say
something wrong with this ??
http_access deny GSIFBENoInternetAccess
http_access allow ntlmauth
http_reply_access allow all
http_access deny all
when I look at your proposal what I understand, client is first
requested with authentication (407), then you simply define an acl
matching everything, you deny all member of GSIFBENoInternetAccess for
everybody (ldapErrPage is matching in this case 0.0.0.0/0.0.0.0) and
last but not least but this part is not clear for me, you request
credentials for the second time
http_access deny !ntlmauth
acl ldapErrPage src all
deny_info ERR_LDAP ldapErrPage
http_access deny GSIFBENoInternetAccess ldapErrPage
http_access allow ntlmauth
http_reply_access allow all
http_access deny all
in other words ....
why did you force authentication before and after the ldap group ?
'allow ntlmauth' will not request authentication from the client browser.
'deny !ntlmauth' will request authentication is fully *missing*.
'deny !ntlmauth' will request authentication is not in your user
database.
I see two times ntlmauth so you should authenticate two times for the
same request, right ?
No. see above.
why did you define an acl called ldapErrPage, without ldapErrPage is not
enough ?
ldapErrPage is a dummy ACL. So that th auth headers/popup dont occur
over your custom page.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.13