Jeroen Ruijter wrote:
> Dear Sir/Madam,
>
> I've tried to activate LDAP authentication for Squid.
> Users have to authenticate, but it doesn't matter if they are in one of
> the two groups you have to be a member of.
>
> Then when a user with restrictions opens a link like schoolbank.nl for
> instance they get a login screen that doesn't disappear anymore.
> A user without restrictions can open the link without any problem.
>
> Can you give me a clue?
>
> Regards Jeroen Ruijter
>
>
>
> Active Directory Windows 2003
>
> Domain.local
> - Proxy
> - InternetAccessGroup
> - InternetAccessGroupRestricted
>
> ----------------------------------------------------------------
>
> Squid.conf (version 3.0 installed on SuSE 11.2)
> auth_param basic program /usr/sbin/squid_ldap_auth -v 3 -R -b
> "dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w
> "xxxxx" -f sAMAccountName=%s -h x.x.x.x
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hour
>
> external_acl_type InetGroup %LOGIN /usr/sbin/squid_ldap_group -v 3 -R -b
> "dc=domain,dc=local" -D "cn=ldapuser,cn=users,dc=domain,dc=local" -w
> "xxxxx" -f "(&(objectclass=person) (sAMAccountName=%v)
> (memberof=cn=%a,ou=proxy,dc=domain,dc=local))" -h x.x.x.x
>
> acl users proxy_auth REQUIRED
> acl InetAccess external InetGroup InternetAccessGroup
> acl InetAccessRestricted external InetGroup
> InternetAccessGroupRestricted
> acl schoolbank.nl url_regex schoolbank.nl
acl schoolbank dstdomain .schoolbank.nl
* avoid regex like the plague in squid.conf.
> acl users proxy_auth REQUIRED
... duplicate.
>
> http_access deny schoolbank.nl !InetAccess
users who are not a member of "InternetAccessGroup" will be challenged
to provide new credentials. This your problem?
> http_access allow localnet users
missing:
http_access deny all
The details are beyond me, so if its not that ACL issue I can't offer
much help sorry.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15Received on Thu Dec 03 2009 - 23:58:59 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST