Jeroen Ruijter wrote:
Dear Sir/Madam,
I've tried to activate LDAP authentication for Squid.
Users have to authenticate, but it doesn't matter if they are in one of
the two groups you have to be a member of.
Then when a user with restrictions opens a link like schoolbank.nl for
instance they get a login screen that doesn't disappear anymore.
A user without restrictions can open the link without any problem.
Can you give me a clue?
Regards Jeroen Ruijter
Active Directory Windows 2003
Domain.local
- Proxy
- InternetAccessGroup
- InternetAccessGroupRestricted
----------------------------------------------------------------
Squid.conf (version 3.0 installed on SuSE 11.2)
auth_param basic program /usr/sbin/squid_ldap_auth -v 3 -R -b
"dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w
"xxxxx" -f sAMAccountName=%s -h x.x.x.x
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
external_acl_type InetGroup %LOGIN /usr/sbin/squid_ldap_group -v 3 -R -b
"dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w
"xxxxx" -f "(&(objectclass=person) (sAMAccountName=%v)
(memberof=cn=%a,ou=proxy,dc=domain,dc=local))" -h x.x.x.x
acl users proxy_auth REQUIRED
acl InetAccess external InetGroup InternetAccessGroup
acl InetAccessRestricted external InetGroup
InternetAccessGroupRestricted
acl schoolbank.nl url_regex schoolbank.nl
acl schoolbank dstdomain .schoolbank.nl
* avoid regex like the plague in squid.conf.
acl users proxy_auth REQUIRED
... duplicate.
http_access deny schoolbank.nl !InetAccess
users who are not a member of "InternetAccessGroup" will be challenged
to provide new credentials. This your problem?
http_access allow localnet users
missing:
http_access deny all
The details are beyond me, so if its not that ACL issue I can't offer
much help sorry.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15
