Hi I've implemented a native kerberos-authentication with squid_kerb_auth and squid_kerb_ldap to query ad-group-memberships. This works fine. I'm trying to implement a fallback-mechanism with squid_ldap_auth. But the squid_ldap_auth-fallback is not working. My config looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 50 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers" acl INTERNET_ACCESS external SQUID_KERB_LDAP external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "DenyInternetUsers" acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP # LDAP-Fallback auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))" -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx auth_param basic children 20 auth_param basic realm "Internet Access" auth_param basic credentialsttl 2 hour acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED http_access deny DENY_INTERNET_ACCESS http_access allow INTERNET_ACCESS http_access allow INTERNET_ACCESS_LDAP How do I have to implement the fallback-ldap? Do I need the "external_acl"-directive? Can I realise the fallback-mechanism also with squid_kerb_ldap? Thanks a lot. Kind regards, Tom
