Re: [squid-users] authenticate_ttl not working

From: Henrik Nordstrom <[email protected]>
Date: Tue, 10 Dec 2002 03:08:16 +0100

By forgetting about the proxy_auth acl and simply use your group acl
instead.

http_access allow no_auth_host
http_access allow allowed_hosts group
http_access deny all

Regards
Henrik

On Tuesday 10 December 2002 03.01, Lee, Jason wrote:
> If I have
>
> acl allowed_hosts src 129.223.92.0/255.255.255.0
> acl no_auth_hosts src 129.223.90.0/255.255.255.0
> acl auth-users proxy_auth REQUIRED
> acl group external ldap_group Group
>
> http_access allow no_auth_hosts
> http_access allow allowed_hosts auth-users
> http_access allow group
>
> and it checks against auth-users it lets me in as being "allowed".
> How then can I get it to check both auth-users & group.
>
> should I be removing the "http_access allow allowed_hosts
> auth-users" line
>
> What is the format of the command line flags for testing.
>
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Tuesday, 10 December 2002 11:27 AM
> To: Lee, Jason
> Cc: Squid Users
> Subject: Re: [squid-users] authenticate_ttl not working
>
> On Tuesday 10 December 2002 02.01, Lee, Jason wrote:
> > I am unsure how the external_acl_type fits in with the current
> > auth_param. How/Where do you actually specify a group to check if
> > you are a member. How do you get a custom error message back to
> > the browser.
>
> Both proxy_auth and external_acl_type using %LOGIN in the format
> specification is users of the authentication schemes configured by
> auth_param.
>
> proxy_auth matches individual user names.
>
> external_acl_type sends the configured data (username + group for
> group helpers) external helper which is responsible for verifying
> if the data is true or false.
>
> In both cases the user will be asked to authenticate himself if not
> yet authenticated.
>
>
> The group to check membership can either be specifiec in the
> external_acl_type directive as command line options to the selected
> helper, or more preferred via the acl diretive conneting to the
> external_acl_type. By using the acl directive for specifying the
> group(s) you can reuse the same external_acl_type definition for
> multiple different groups, hence the name "external_acl_type"
> (defines a new type of acl, using a helper to verify it it is a
> match or not).
>
>
> Returing custom error messages is done by the deny_info directive.
> Works identical for all the acl types except for a small difference
> on proxy_auth type acls where the user will be asked to
> reauthenticate if denied by a proxy_auth type acl and the custom
> message is only visible if the login request is cancelled (does not
> external acls at this time. there the user will simply be denied
> access).
>
> Regards
> Henrik
Received on Mon Dec 09 2002 - 19:08:38 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:00 MST