Re: Squid ldap group authentication with Zimbra LDAP

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Kevin Kimani wrote:
> Find below the configurations placed in my config file
>
> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
> -h 192.168.111.130
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hour
>
> external_acl_type InetGroup ttl=300 %LOGIN
> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130
>
> acl ldapauth proxy_auth REQUIRED
> acl InetAccess external InetGroup Admins
>
> http_access allow InetAccess
> http_access allow my_network
>
> For authentication of a single user it works since it asks for
> authentication but group authentication it aint.

There is nothing in that http_access list to prevent access. Everyone 
who is ether an "Admin" group or "my_network" has full access.

You need either:
 1) if you want a whole group bocked: an additional "acl InetDenied 
external InetGroup ..." for the group(s).

or
2) if you want individuals blocked: an "acl InetDenied proxy_user ..." 
listing the usernames.

... along with "http_access deny IdentDenied" to prevent the selected 
users having web access. Probably right after the admin permit line.

Amos

> Regards
>
>
> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> > Kevin Kimani wrote:
> > > Hi all,
> > > Am having a problem trying to authenticate a group that i have set up
> > > in my zimbra mail server. the users are stored in an ldap database
> > > thus thought that authentication would just be the same as other ldap
> > > databases. am able to authenticate users in singular but want to barr
> > > some users in a particular group. the command i have is letting
> > > everyone access the internet. "external_acl_type InetGroup %LOGIN
> > > /usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
> > > "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
> > > would anyne have an idea how to go about it? am in terrible need for it to
> > > work.
> > > Regards
> > external_acl_type merely runs a lookup helper, you have additional "acl"
> > lines specifying how its used and various http_access lines as well
> > specifying how the acl lines affect peoples HTTP requests.
> >  We need to know all those other lines to tell what/why you have this
> > problem.
> >
> > Amos
> > --
> > Please be using
> >  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
> >  Current Beta Squid 3.1.0.16


--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16