Search squid archive

Re: External_acl_type Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




OK.

But when I put the external acl and "acl dpto external nt_group finance" with http_access before acl AuthorizedUsers, show me a screen asking for User and password doesn't seek direct AD.


The acl AuthorizedUsers as proxy_auth REQUIRED to ask for authentication every time someone is browsing. I found that the external acl should stay after it.


So....didn't work.  Any idea....



thks

---kalz---






Em 21-01-2011 12:07, Amos Jeffries escreveu:
On 22/01/11 01:38, Kalil Costa - Brasilsite wrote:
Hi all,


I have a problem with not working external_acl_type

Integrated the AD 2003 using squid with ntlm, samba, winbind, works fine.
Logs in access.log ok, user navigates normal, but when i configure
squid.conf using external_acl_type nothings happens.


Your problems in not related to external_acl_type.

The order of your directives does not match what you are wanting to happen.


My settings squid.conf

-----

http_port 3128

cache_mem 12 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280

Add:
  refresh_pattern -i (/cgi-bin/|\?)  0 0% 0


refresh_pattern . 15 20% 2280

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

If you have a Squid newer than 2.6 remove the above three lines.


auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours



#debug_options ALL,1 82,9 84,9

#acl all src 0.0.0.0/24


acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers

At this point anyone who can login is allowed immediately.


external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl

acl dpto external nt_group finance
http_access deny dpto


This group restriction needs to be above "allow AuthorizedUsers" to work.

When two criteria overlap, the most specific needs to be tested first. In this case the details user+password+group is more specific than just user+password.


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux