oops had left out tthe deny part acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins acl InetDeny external InetGroup Users http_access deny InetDeny http_access deny bannedips http_access allow InetAccess http_access allow my_network When i do this, all are blocked from accessing the internet either from group Admin or users. Regards On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Kevin Kimani wrote: >> >> Find below the configurations placed in my config file >> >> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b >> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" >> -h 192.168.111.130 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hour >> >> external_acl_type InetGroup ttl=300 %LOGIN >> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B >> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f >> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 >> >> acl ldapauth proxy_auth REQUIRED >> acl InetAccess external InetGroup Admins >> >> http_access allow InetAccess >> http_access allow my_network >> >> For authentication of a single user it works since it asks for >> authentication but group authentication it aint. > > There is nothing in that http_access list to prevent access. Everyone who is > ether an "Admin" group or "my_network" has full access. > > You need either: > 1) if you want a whole group bocked: an additional "acl InetDenied external > InetGroup ..." for the group(s). > > or > 2) if you want individuals blocked: an "acl InetDenied proxy_user ..." > listing the usernames. > > ... along with "http_access deny IdentDenied" to prevent the selected users > having web access. Probably right after the admin permit line. > > Amos > >> >> Regards >> >> >> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Kevin Kimani wrote: >>>> >>>> Hi all, >>>> Am having a problem trying to authenticate a group that i have set up >>>> in my zimbra mail server. the users are stored in an ldap database >>>> thus thought that authentication would just be the same as other ldap >>>> databases. am able to authenticate users in singular but want to barr >>>> some users in a particular group. the command i have is letting >>>> everyone access the internet. "external_acl_type InetGroup %LOGIN >>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f >>>> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" >>>> would anyne have an idea how to go about it? am in terrible need for it >>>> to >>>> work. >>>> Regards >>> >>> external_acl_type merely runs a lookup helper, you have additional "acl" >>> lines specifying how its used and various http_access lines as well >>> specifying how the acl lines affect peoples HTTP requests. >>> We need to know all those other lines to tell what/why you have this >>> problem. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 >>> Current Beta Squid 3.1.0.16 >>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 > Current Beta Squid 3.1.0.16 >