Dear Amos, It didn't work but you did help me to understand better how the acl works. Users can now only access the internet when they are a member of InetAccessGroup And when they access schoolbank.nl users also a member of InetAccessGroupRestricted are asked for their username and password again. And again and again and again... I expected a "access denied" instead... Regards Jeroen -----Oorspronkelijk bericht----- Van: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Verzonden: vrijdag 4 december 2009 0:59 Aan: squid-users@xxxxxxxxxxxxxxx Onderwerp: Re: Squid_Ldap_Group Jeroen Ruijter wrote: > Dear Sir/Madam, > > I've tried to activate LDAP authentication for Squid. > Users have to authenticate, but it doesn't matter if they are in one of > the two groups you have to be a member of. > > Then when a user with restrictions opens a link like schoolbank.nl for > instance they get a login screen that doesn't disappear anymore. > A user without restrictions can open the link without any problem. > > Can you give me a clue? > > Regards Jeroen Ruijter > > > > Active Directory Windows 2003 > > Domain.local > - Proxy > - InternetAccessGroup > - InternetAccessGroupRestricted > > ---------------------------------------------------------------- > > Squid.conf (version 3.0 installed on SuSE 11.2) > auth_param basic program /usr/sbin/squid_ldap_auth -v 3 -R -b > "dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w > "xxxxx" -f sAMAccountName=%s -h x.x.x.x > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hour > > external_acl_type InetGroup %LOGIN /usr/sbin/squid_ldap_group -v 3 -R -b > "dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w > "xxxxx" -f "(&(objectclass=person) (sAMAccountName=%v) > (memberof=cn=%a,ou=proxy,dc=domain,dc=local))" -h x.x.x.x > > acl users proxy_auth REQUIRED > acl InetAccess external InetGroup InternetAccessGroup > acl InetAccessRestricted external InetGroup > InternetAccessGroupRestricted > acl schoolbank.nl url_regex schoolbank.nl acl schoolbank dstdomain .schoolbank.nl * avoid regex like the plague in squid.conf. > acl users proxy_auth REQUIRED ... duplicate. > > http_access deny schoolbank.nl !InetAccess users who are not a member of "InternetAccessGroup" will be challenged to provide new credentials. This your problem? > http_access allow localnet users missing: http_access deny all The details are beyond me, so if its not that ACL issue I can't offer much help sorry. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15
