OK.
But when I put the external acl and "acl dpto external nt_group finance"
with http_access before acl AuthorizedUsers, show me a screen asking for
User and password doesn't seek direct AD.
The acl AuthorizedUsers as proxy_auth REQUIRED to ask for authentication
every time someone is browsing. I found that the external acl should
stay after it.
So....didn't work. Any idea....
thks
---kalz---
Em 21-01-2011 12:07, Amos Jeffries escreveu:
On 22/01/11 01:38, Kalil Costa - Brasilsite wrote:
Hi all,
I have a problem with not working external_acl_type
Integrated the AD 2003 using squid with ntlm, samba, winbind, works
fine.
Logs in access.log ok, user navigates normal, but when i configure
squid.conf using external_acl_type nothings happens.
Your problems in not related to external_acl_type.
The order of your directives does not match what you are wanting to
happen.
My settings squid.conf
-----
http_port 3128
cache_mem 12 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
Add:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 15 20% 2280
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
If you have a Squid newer than 2.6 remove the above three lines.
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#debug_options ALL,1 82,9 84,9
#acl all src 0.0.0.0/24
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
At this point anyone who can login is allowed immediately.
external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl dpto external nt_group finance
http_access deny dpto
This group restriction needs to be above "allow AuthorizedUsers" to work.
When two criteria overlap, the most specific needs to be tested first.
In this case the details user+password+group is more specific than
just user+password.
Amos