[squid-users] Authentication bug with external ACLs in 2.5 STABLE 12?

From: Christoph Haas <[email protected]>
Date: Mon, 19 Dec 2005 14:01:32 +0100

Evening...

we have just spent two days hunting down a phenomenon regarding external
ACLs. I suspect a bug so I'll be a bit more verbose.

In our current setup (Squid 2.5.9 / Debian Sarge) we run a pretty complex
configuration with LDAP authentication and multiple external
squid_ldap_group calls for certain authorizations from LDAP groups. While
I was playing with a few changes on a test server (running Squid 2.5.12
fro Debian Sid) I quickly found out that thing didn't work the way that
they did before. Especially the user was prompted to re-authenticate (407)
time and again without an obvious reason because the credentials were
okay.

After tracking it down I ended up with a rather simple configuration that
worked well on a Squid 2.5.9 but not on a Squid 2.5.12. These are the
relevant parts of the squid.conf:

==========================
external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ...

auth_param basic program /usr/lib/squid/ldap_auth ...

acl ldap-auth proxy_auth REQUIRED
acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED

http_access deny !ldap-auth
http_access deny !ldapgroup-allowed
http_access allow all
==========================

On a 2.5.9 if the user is not member of the group "PROXY_ALLOWED" but
authenticates correctly I get this correct log entry:

1134746078.117     42 127.0.0.1 TCP_DENIED/403 2557 GET
http://www.domain.com/ chris NONE/- text/html

The cache.log (with ACL debugging enabled) reads:

The request GET http://www.domain.com/ is DENIED, because it matched
'ldapgroup-allowed'

So this is correct. The "http_access deny ldapgroup-allowed" denies the
access, the user gets an error page and the code 403 is logged.

Whereas on a 2.5.12 the user who is not member of the "PROXY_ALLOWED" group
will be prompted for the password time and again. The access.log reads:

1134746808.068 34 10.0.0.1 TCP_DENIED/407 2675 GET http://www.domain.com/
chris NONE/- text/html

(Note the 407!)

The cache.log (with ACL debugging enabled) reads:

The request GET http://www.domain.com/ is DENIED, because it matched
'ldapgroup-allowed'

So it appears like the very same "http_access" line is matching but not
giving back a 403 but rather a 407.

I'd like to hear comments. Perhaps the developers have an idea what may
have changed between stable 9 and stable 12 that could cause this. Thanks
in advance.

 Christoph

P.S.: Bear with me if the config contains typos. I mangled it to hide some
      of our configuration internals. :)

--
~
~
".signature" [Modified] 1 line --100%--                1,48         All
Received on Mon Dec 19 2005 - 06:01:39 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST