On Mon, 31 Jan 2011 17:35:02 +0000, "Gonzalo Morera" <gmorera@xxxxxxxxxx> wrote: > Thanks Chad > > I'll follow this instructions > > > > Gonzalo > > >>>> "Chad Naugle" <Chad.Naugle@xxxxxxxxxxx> 31-01-2011 >>> > You need to move all of your "deny" lines *before* your "allow" lines, > otherwise you will get the popup. > > FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a > C-based program for that, which is bundled with Squid 3.2-BETA, instead > of using a perl script. You can probably just build 3.2.X without > installing it and copy the executable to /usr/sbin, and use that for the > blind auth. > >>>> "Gonzalo Morera" <gmorera@xxxxxxxxxx> 1/31/2011 11:16 AM >>> > Hi all > > After solving the squid_ldap_group issue, i'm still facing a little one > with users that are transparently authenticate thru a pl script against > edirectory. > > I've got this line: > > external_acl_type IPUser ttl=7200 %SRC > /etc/squid/squid_edir_iplookup.pl > (IPUser method) > > squid_edir_iplookup.pl is for users that have the novell client > installed. Thru this script, they network address is found and > authenticate without being prompted. This works fine as long as they do > not hit a forbidden page. > And here is my problem. When they hit a forbidden page, instead to get > the 403 forbidden, they prompt for authentication. If then enter a > username/password (they share passwords :-( ) with rights, they can go > to the page. > So my goal is that when this users are hitting a forbidden page, the > forbidden page comes and not the auth page. > > I can not find out how to do so or if the order of the rules are wrong > > Here is my squid.conf. Let me know if anything else is needed: > > ===snip==== > <snip> > > # Seemless automatic access based on IP address > # Access through the "IP User" external helper > acl Full_Access external IPUser internet_nr > acl Restricted_Access external IPUser internet_r > > # Access to users prompted with username/password dialogue > # Full access > acl lab_Full external ldap_group internet_nr > > # Restricted access > acl lab_Restricted external ldap_group internet_r > <snip> You have presented the settings for IPUser ACL but have omitted the ones for ldap_group ACL. I suspect you have cut-n-pasted one of the common examples for group lookup which rely on full client credentials authentication. Note that external ACL does not produce full-blown authentication credentials (yet). So they are not used for %LOGIN group checking. You need to use %EXT_USER instead and you do not have access to the external ACL password. Check this, but I expect you may find that the way you have defined the IPUser ACL lines the helper gets passed "<src-IP> <group-name>" so you can do the full check in one step in the handler script with a single allow/block result. Amos
