Search squid archive

Re: Using LDAP authentication only on one cache_peer in Squid 3 STABLE 16

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eric Van Steenbergen wrote:
Hello all,

I'm trying to configure Squid to ask for authentication using LDAP but
ONLY on one cache_peer. Before I had it activated on all servers and
it worked perfectly. All the other webservers however have their own
authentication except this wiki.

This is what I have in my squid.conf in regards to this particular site.
Code:

cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki

acl site_wiki dstdomain wiki.tradisa.com
cache_peer_access wiki allow site_wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "ldapuser"
-f sAMAccountName=%s -h 172.25.XXX.XXX

auth_param basic children 1
auth_param basic credentialsttl 5 minutes
cache_peer_access wiki deny all
acl wiki_users proxy_auth REQUIRED
cache_peer_access wiki allow wiki_users

Taking the above config and erasing unused lines we end up with:

  cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki

  acl site_wiki dstdomain wiki.tradisa.com

  cache_peer_access wiki allow site_wiki
  cache_peer_access wiki deny all



http_access allow wiki_users

http_access deny all

however I go straight to the website without it asking for
authentication. If I put in the http_access rules as at the end of the
'code' part then authentication gets asked for all the sites. How
would I go about just configuring this one server so that it asks for
authentication?

You are missing all sorts of important config lines. Such as whether or not any other peers of this proxy are accepting site_wiki traffic


LDAP authentication is working perfectly, it's just an error in my
definition as stated above. I'm missing something but I cannot see it.
Of course IPs and names have been changed before posting.

All help is greatly appreciated.

http://wiki.squid-cache.org/SquidFaq/SquidAcl


cache_peer_access is a 'fast' group ACL. It cannot kick off and wait for authentication.
  http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs


Authentication needs to happen in the http_access instead.

  cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki

  cache_peer_access wiki allow site_wiki
  cache_peer_access wiki deny all

  http_access allow site_wiki wiki_users


To safely operate your Squid you _really_ need to know how that works and why:
  http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux