Re: External_acl_type Problem

[Kalil Costa - Brasilsite <kalil@xxxxxxxxxxxxxxxxx>]

OK.

But when I put the external acl and "acl dpto external nt_group finance" 
with http_access before acl AuthorizedUsers, show me a screen asking for 
User and password doesn't seek direct AD.


The acl AuthorizedUsers as proxy_auth REQUIRED to ask for authentication 
every time someone is browsing. I found that the external acl should 
stay after it.


So....didn't work.  Any idea....



thks

---kalz---






Em 21-01-2011 12:07, Amos Jeffries escreveu:
> On 22/01/11 01:38, Kalil Costa - Brasilsite wrote:
> > Hi all,
> >
> >
> > I have a problem with not working external_acl_type
> >
> > Integrated the AD 2003 using squid with ntlm, samba, winbind, works 
> > fine.
> > Logs in access.log ok, user navigates normal, but when i configure
> > squid.conf using external_acl_type nothings happens.
>
> Your problems in not related to external_acl_type.
>
> The order of your directives does not match what you are wanting to 
> happen.
>
> > My settings squid.conf
> >
> > -----
> >
> > http_port 3128
> >
> > cache_mem 12 MB
> > maximum_object_size_in_memory 64 KB
> > maximum_object_size 512 MB
> > minimum_object_size 0 KB
> > cache_swap_low 90
> > cache_swap_high 95
> > cache_dir ufs /var/spool/squid 2048 16 256
> > cache_access_log /var/log/squid/access.log
> > refresh_pattern ^ftp: 15 20% 2280
> > refresh_pattern ^gopher: 15 0% 2280
>
> Add:
>   refresh_pattern -i (/cgi-bin/|\?)  0 0% 0
>
>
> > refresh_pattern . 15 20% 2280
> >
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
>
> If you have a Squid newer than 2.6 remove the above three lines.
>
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> >
> > auth_param basic program /usr/bin/ntlm_auth 
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> >
> >
> > #debug_options ALL,1 82,9 84,9
> >
> > #acl all src 0.0.0.0/24
> >
> >
> > acl AuthorizedUsers proxy_auth REQUIRED
> > http_access allow AuthorizedUsers
>
> At this point anyone who can login is allowed immediately.
>
> > external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl
> >
> > acl dpto external nt_group finance
> > http_access deny dpto
>
> This group restriction needs to be above "allow AuthorizedUsers" to work.
>
> When two criteria overlap, the most specific needs to be tested first. 
> In this case the details user+password+group is more specific than 
> just user+password.
>
>
> Amos