Kevin Kimani wrote:
oops had left out tthe deny part
acl ldapauth proxy_auth REQUIRED
acl InetAccess external InetGroup Admins
acl InetDeny external InetGroup Users
http_access deny InetDeny
http_access deny bannedips
http_access allow InetAccess
http_access allow my_network
When i do this, all are blocked from accessing the internet either
from group Admin or users.
Then I guess your "Admin" users is also a member of "Users" or is using
one of the "bannedips".
If not that then its something else in the config which you are not showing.
Amos
On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Kevin Kimani wrote:
Find below the configurations placed in my config file
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
-h 192.168.111.130
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
external_acl_type InetGroup ttl=300 %LOGIN
/usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
"uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
"(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130
acl ldapauth proxy_auth REQUIRED
acl InetAccess external InetGroup Admins
http_access allow InetAccess
http_access allow my_network
For authentication of a single user it works since it asks for
authentication but group authentication it aint.
There is nothing in that http_access list to prevent access. Everyone who is
ether an "Admin" group or "my_network" has full access.
You need either:
1) if you want a whole group bocked: an additional "acl InetDenied external
InetGroup ..." for the group(s).
or
2) if you want individuals blocked: an "acl InetDenied proxy_user ..."
listing the usernames.
... along with "http_access deny IdentDenied" to prevent the selected users
having web access. Probably right after the admin permit line.
Amos
Regards
On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
wrote:
Kevin Kimani wrote:
Hi all,
Am having a problem trying to authenticate a group that i have set up
in my zimbra mail server. the users are stored in an ldap database
thus thought that authentication would just be the same as other ldap
databases. am able to authenticate users in singular but want to barr
some users in a particular group. the command i have is letting
everyone access the internet. "external_acl_type InetGroup %LOGIN
/usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
"(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
would anyne have an idea how to go about it? am in terrible need for it
to
work.
Regards
external_acl_type merely runs a lookup helper, you have additional "acl"
lines specifying how its used and various http_access lines as well
specifying how the acl lines affect peoples HTTP requests.
We need to know all those other lines to tell what/why you have this
problem.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
Current Beta Squid 3.1.0.16
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
Current Beta Squid 3.1.0.16
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
Current Beta Squid 3.1.0.16
