[squid-users] proxy_auth and external helpers behaviour with http_access

From: Rolf <[email protected]>
Date: Fri, 18 Mar 2005 14:12:28 +1100

hello

presently we have working perfectly, basic auth against an ldap query
to Active Directory.
so acls:
acl authenticated_user proxy_auth REQUIRED
acl group1 external ...detail of helper and dn of group name etc

At the moment there is
http_access allow authenticated_user group1
http_access deny all
so when a request to go to a site is received, proxy auth is sent and
credentials checked and if correct and user in group, access is
allowed.

Firstly what happens if I put
http_access allow group1
before the the proxy auth request?
Does it break if the credentials are not already available (cached from
some previous time) to pass to the helper, or what?

Secondly, what is the behaviour with multiple acls that refer to
different groups? for eg

acl group1 external ... blah blah group reference
acl group2 external ...blah blah another group reference
acl group3 external ...blah yet another group

Assuming the user is in some of the groups but not others.

If I say

http_access allow authenticated_user group1
http_access allow authenticated_user group2
http_access allow authenticated_user group3
and so on to
http_access deny all

Does that force the proxy auth request to be resent each time?
Or are the cached credentials used and then tested against the
different groups via the helper as they are encountered in the rules?

If the latter, as I suspect, then can I rewrite the above list as:

http_access allow authenticated_user group1
http_access allow group2
http_access allow group3
etc
http_access deny all

And the single, first, instance of the proxy auth request will suffice
to establish the credentials, which are then used as required with the
further group2, group3 ... decisions?

thanks

rolf.
Received on Thu Mar 17 2005 - 20:12:49 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST