RE: [squid-users] External ACL Authentication Problem

From: Rick Matthews <[email protected]>
Date: Mon, 4 Nov 2002 21:18:32 -0600

Nathan Le Nevez wrote:
>
> I changed my acl ident ident line to include 'REQUIRED' at the end, but
> this does not fix my problem. The problem I find is that the external
> ACL is being executed before the ident reply comes back:
>
> 2002/11/04 07:37:47| aclCheckFast: list: 0x82035b0
> 2002/11/04 07:37:47| aclMatchAclList: checking all
> 2002/11/04 07:37:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2002/11/04 07:37:47| aclMatchIp: '202.6.37.162' found
> 2002/11/04 07:37:47| aclMatchAclList: returning 1
> 2002/11/04 07:37:47| aclCheck: checking 'http_access allow spack'
> 2002/11/04 07:37:47| aclMatchAclList: checking spack
> 2002/11/04 07:37:47| aclMatchAcl: checking 'acl spack external ausaid'
> 2002/11/04 07:37:47| aclMatchAclList: returning 0
> 2002/11/04 07:37:47| identReadReply: FD 35: Read '1206, 8080 : USERID :
> WIN32 : proxyt'

I don't see anything in there checking for ident. Compare with the
following (I've deleted the date and unrelated acls for space):

20:53:58| aclCheckFast: list: 0xa791e38
20:53:58| aclMatchAclList: checking ident_aware_hosts
20:53:58| aclMatchAcl: checking 'acl ident_aware_hosts src blah blah '
20:53:58| aclMatchIp: '192.168.44.3' found
20:53:58| aclMatchAclList: returning 1
20:53:58| aclCheck: checking 'http_access allow identhosts'
20:53:58| aclMatchAclList: checking identhosts
20:53:58| aclMatchAcl: checking 'acl identhosts ident REQUIRED'
20:53:58| aclMatchAclList: returning 0
20:53:58| aclCheck: Doing ident lookup
20:53:58| aclCheck: checking 'http_access allow identhosts'
20:53:58| aclMatchAclList: checking identhosts
20:53:58| aclMatchAcl: checking 'acl identhosts ident REQUIRED'
20:53:58| aclMatchUser: checking 'rick'
20:53:58| aclMatchUser: looking for 'REQUIRED'
20:53:58| aclMatchAclList: returning 1
20:53:58| aclCheck: match found, returning 1
20:53:58| aclCheckCallback: answer=1

You might want to approach your solution in a couple of steps:

Step 1 - Forget the secondary authorization. Get ident working, and
ident users authorized if in your database, denied if not. Once you
have that working properly...
Step 2 - Add the secondary authorization method.

That's what I think I'd do.

Rick

>
>
>
> -----Original Message-----
> From: Rick Matthews [mailto:RedHat.Linux@verizon.net]
> Sent: Monday, 4 November 2002 12:02 AM
> To: Nathan Le Nevez; squid-users@squid-cache.org
> Subject: RE: [squid-users] External ACL Authentication Problem
>
> > What I am finding is, squid performs the IDENT lookup, but still
> > shows the proxy_auth box.
>
> Is the basis for that statement:
> - the ident appears on that transaction in the access.log
> - therefore, squid had the ident
> - so, why did it go to the next method of authentication?
>
> I can address that one, because I've made the same, invalid assumption.
> The transaction may include an ident in access.log, but that doesn't
> mean that the ident was there when it was needed for a decision. The
> ident will appear in the log if it is received anytime before that
> record is written to the log. Squid does not wait on the ident unless
> you include REQUIRED in your acl:
>
> acl ident ident REQUIRED
>
> That alone may solve your problem. If not, consider that
> http_access allow ident
> would allow this group access, but I don't know how that would fit
> in to your full auth plan.
>
> Hope that helps.
>
> Rick
>
>
> > -----Original Message-----
> > From: Nathan Le Nevez [mailto:nathan.lenevez@acis.com.au]
> > Sent: Thursday, October 31, 2002 4:45 PM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] External ACL Authentication Problem
> >
> >
> > Hey Guys,
> >
> > I am having an interesting experience trying to setup a nice way of
> > doing authentication at my work. We have installed an RFC identd
> daemon
> > on all our machines, including Windows machines. What I am trying to
> do
> > is, have two methods of authentication. Centrally we have an LDAP
> > database which I need to authenticate against. For the moment, I have
> > LDAP authentication working via proxy_auth. What I would like to do,
> is
> > in the first instance have squid check the users IDENT and check that
> > against a valid username in my LDAP table (I have written an
> > external_acl program to do this), and in the second instance (if #1
> > failes) bring up the username/password box as normal.
> >
> > What I am finding is, squid performs the IDENT lookup, but still shows
> > the proxy_auth box. If I close the proxy_auth box and continuosly hit
> > Refresh, the page will eventually display, with the proxy_auth box
> > displaying a number of times before it actually works.
> >
> > Here are the basics in my squid.conf:
> >
> > auth_param basic program /usr/local/squid/bin/ldap_acis
> > auth_param basic children 15
> > auth_param basic realm The AusAID Proxy Server
> >
> > external_acl_type ausaid ttl=3600 negative_ttl=0 %IDENT %METHOD
> > /usr/local/squid/bin/ident_acis
> > acl all src 0.0.0.0/0.0.0.0
> > ident_lookup_access allow all
> >
> > acl manager proto cache_object
> > acl ident ident
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl CONNECT method CONNECT
> > acl acisesd src 202.6.37.153/255.255.255.255
> > acl spack external ausaid
> >
> > http_access allow spack
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > acl password proxy_auth
> > http_access allow password
> > icp_access allow all
> > http_access deny all
> >
> > Any ideas would be GREATLY appreciated!
> >
> > Cheers,
> >
> > Nathan
> >
>
Received on Mon Nov 04 2002 - 20:18:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:09 MST