RE: [squid-users] External ACL Authentication Problem

From: Nathan Le Nevez <[email protected]>
Date: Mon, 4 Nov 2002 09:41:24 +1100

Hi Rick,

I changed my acl ident ident line to include 'REQUIRED' at the end, but
this does not fix my problem. The problem I find is that the external
ACL is being executed before the ident reply comes back:

2002/11/04 07:37:47| aclCheckFast: list: 0x82035b0
2002/11/04 07:37:47| aclMatchAclList: checking all
2002/11/04 07:37:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2002/11/04 07:37:47| aclMatchIp: '202.6.37.162' found
2002/11/04 07:37:47| aclMatchAclList: returning 1
2002/11/04 07:37:47| aclCheck: checking 'http_access allow spack'
2002/11/04 07:37:47| aclMatchAclList: checking spack
2002/11/04 07:37:47| aclMatchAcl: checking 'acl spack external ausaid'
2002/11/04 07:37:47| aclMatchAclList: returning 0
2002/11/04 07:37:47| identReadReply: FD 35: Read '1206, 8080 : USERID :
WIN32 : proxyt'

-----Original Message-----
From: Rick Matthews [mailto:RedHat.Linux@verizon.net]
Sent: Monday, 4 November 2002 12:02 AM
To: Nathan Le Nevez; squid-users@squid-cache.org
Subject: RE: [squid-users] External ACL Authentication Problem

> What I am finding is, squid performs the IDENT lookup, but still
> shows the proxy_auth box.

Is the basis for that statement:
- the ident appears on that transaction in the access.log
- therefore, squid had the ident
- so, why did it go to the next method of authentication?

I can address that one, because I've made the same, invalid assumption.
The transaction may include an ident in access.log, but that doesn't
mean that the ident was there when it was needed for a decision. The
ident will appear in the log if it is received anytime before that
record is written to the log. Squid does not wait on the ident unless
you include REQUIRED in your acl:

acl ident ident REQUIRED

That alone may solve your problem. If not, consider that
http_access allow ident
would allow this group access, but I don't know how that would fit
in to your full auth plan.

Hope that helps.

Rick

> -----Original Message-----
> From: Nathan Le Nevez [mailto:nathan.lenevez@acis.com.au]
> Sent: Thursday, October 31, 2002 4:45 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] External ACL Authentication Problem
>
>
> Hey Guys,
>
> I am having an interesting experience trying to setup a nice way of
> doing authentication at my work. We have installed an RFC identd
daemon
> on all our machines, including Windows machines. What I am trying to
do
> is, have two methods of authentication. Centrally we have an LDAP
> database which I need to authenticate against. For the moment, I have
> LDAP authentication working via proxy_auth. What I would like to do,
is
> in the first instance have squid check the users IDENT and check that
> against a valid username in my LDAP table (I have written an
> external_acl program to do this), and in the second instance (if #1
> failes) bring up the username/password box as normal.
>
> What I am finding is, squid performs the IDENT lookup, but still shows
> the proxy_auth box. If I close the proxy_auth box and continuosly hit
> Refresh, the page will eventually display, with the proxy_auth box
> displaying a number of times before it actually works.
>
> Here are the basics in my squid.conf:
>
> auth_param basic program /usr/local/squid/bin/ldap_acis
> auth_param basic children 15
> auth_param basic realm The AusAID Proxy Server
>
> external_acl_type ausaid ttl=3600 negative_ttl=0 %IDENT %METHOD
> /usr/local/squid/bin/ident_acis
> acl all src 0.0.0.0/0.0.0.0
> ident_lookup_access allow all
>
> acl manager proto cache_object
> acl ident ident
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl CONNECT method CONNECT
> acl acisesd src 202.6.37.153/255.255.255.255
> acl spack external ausaid
>
> http_access allow spack
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl password proxy_auth
> http_access allow password
> icp_access allow all
> http_access deny all
>
> Any ideas would be GREATLY appreciated!
>
> Cheers,
>
> Nathan
>
Received on Sun Nov 03 2002 - 15:41:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:08 MST