On 7/02/2016 9:39 p.m., Olivier CALVANO wrote: > Hi > > i have a problems with AD Group, i use this config: > > > external_acl_type AD_Group children-startup=5 children-max=100 > concurrency=80 ttl=1800 negative_ttl=900 %LOGIN > /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D > cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f > (&(objectclass=person) > (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h > 192.168.10.1 > > > acl Group_Allowed external AD_Group Internet-Access > http_access allow Group_Allowed > http_access deny !Group_Allowed > > > When i want use the proxy, squid request all time the Login/pass To check group membership, Squid must first know what user login credentialsare being checked. > > if i change config: > > http_access allow Group_Allowed > http_access deny !Group_Allowed As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it is used on any line and login is not yet provided, or do 407 re-authentication whenever it is last ACL named on a deny line. In order to give the user the chance to provide credentials that will pass the test. In this particular config setup use "deny all" instead of "deny !Group_Allowed". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users