[SQU] GROUP_LDAP patch: is multiple acl's possible?

From: Henrique Pantarotto <[email protected]>
Date: Mon, 4 Sep 2000 03:55:32 -0300

Hello squid friends!

I'm using FatGuy's excellent LDAP patch with squid-2.3.STABLE2. I am having
a little problem and I wonder if someone can help me out on this one...

I've successfully made it to work using a single "acl" declaration, like
this:

acl staff ldap_auth dynamic groupID=staff
http_access allow staff

But I was wondering if I could use 2 (or more) acl declarations, like this:

acl staff ldap_auth dynamic groupID=staff
acl students ldap_auth dynamic groupID=students
http_access allow staff
http_access allow students

The reason I wanna do this is because I want to create very fancy
http_access lines, to permit, for example, staff users to access the whole
web, but to limit students users to a sucky acl declaration (limiting URL
sites he can access).

I have noticed that, although I am trying to authenticate a "students"
username, ldap_auth stops at the first "staff" acl.

Since it didn't find the username at the "staff" group, why won't he jump to
the next line and search at "students"?

** tail /tmp/squid_ldap_auth_log
bound to localhost:389
received elvis okokok 1 d #groupID=staff#
searching for user with filter (uid=elvis)
searching for dynamic group groupID=staff
user uid=elvis,dc=teste,dc=br not found in group groupID=staff
checkLdap returned 5

** tail /usr/local/squid/logs/cache.log (with debug 28,4)
2000/09/04 00:21:52| aclMatchAclList: checking all
2000/09/04 00:21:52| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/09/04 00:21:52| aclMatchIp: '192.168.0.1' found
2000/09/04 00:21:52| aclMatchAclList: returning 1
2000/09/04 00:21:52| aclCheck: checking 'http_access allow manager
localhost'
2000/09/04 00:21:52| aclMatchAclList: checking manager
2000/09/04 00:21:52| aclMatchAcl: checking 'acl manager proto cache_object'
2000/09/04 00:21:52| aclMatchAclList: returning 0
2000/09/04 00:21:52| aclCheck: checking 'http_access allow staff'
2000/09/04 00:21:52| aclMatchAclList: checking staff
2000/09/04 00:21:52| aclMatchAcl: checking 'acl staff ldap_auth dynamic
groupID=staff'
2000/09/04 00:21:52| aclMatchAclList: returning 0
2000/09/04 00:21:52| aclCheck: match found, returning 2
2000/09/04 00:21:52| aclCheckCallback: answer=2
2000/09/04 00:21:56| aclMatchAclList: checking all
2000/09/04 00:21:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/09/04 00:21:56| aclMatchIp: '192.168.0.1' found
2000/09/04 00:21:56| aclMatchAclList: returning 1
2000/09/04 00:21:56| aclCheck: checking 'http_access allow manager
localhost'
2000/09/04 00:21:56| aclMatchAclList: checking manager
2000/09/04 00:21:56| aclMatchAcl: checking 'acl manager proto cache_object'
2000/09/04 00:21:56| aclMatchAclList: returning 0
2000/09/04 00:21:56| aclCheck: checking 'http_access allow staff'
2000/09/04 00:21:56| aclMatchAclList: checking staff
2000/09/04 00:21:56| aclMatchAcl: checking 'acl staff ldap_auth dynamic
groupID=staff'
2000/09/04 00:21:56| aclMatchLdapAuth: user 'elvis' not yet known
2000/09/04 00:21:56| aclMatchAclList: returning 0
2000/09/04 00:21:56| aclCheck: checking password via ldap authenticator
2000/09/04 00:21:56| aclLookupLdapAuthStart: going to ask authenticator
about user 'elvis'
2000/09/04 00:21:59| aclLookupLdapAuthDone: result = f
2000/09/04 00:21:59| aclCheck: checking 'http_access allow staff'
2000/09/04 00:21:59| aclMatchAclList: checking staff
2000/09/04 00:21:59| aclMatchAcl: checking 'acl staff ldap_auth dynamic
groupID=staff'
2000/09/04 00:21:59| aclMatchLdapAuth: authentication failed for user
'elvis' group 'NONE'
2000/09/04 00:21:59| aclMatchAclList: returning 0
2000/09/04 00:21:59| aclCheck: match found, returning 2
2000/09/04 00:21:59| aclCheckCallback: answer=2

[root@proxy squid]# /usr/local/ldap/bin/ldapsearch -b 'dc=teste, dc=br'
'(uid=elvis)'
uid=elvis,dc=teste,dc=br
cn=Elvis Presley
groupid=students
userpassword={crypt}hpjV3fStFmXzc
uid=elvis
mail=elvis@teste.br
objectclass=top
objectclass=person
objectclass=inetOrgPerson

Elvis is not dead! ;-) He's a "student"! But squid hasn't even tried
searching at the other acl.

Is this really a limitation? Or am I missing something?

Thanks a lot!

Regards from Brazil,
_______________________________________________
Henrique Pantarotto
SysOp Site S�o Paulo
Terra Networks Brasil S/A
A Internet mais sua do que nunca
Tel: (11) 5505-5728 r.316/238 ICQ: 6934285 IT: henpa
henrique@corp.terra.com.br

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Sep 04 2000 - 00:56:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:12 MST