Re: [squid-users] Authentication bug with external ACLs in 2.5 STABLE 12?

From: Christoph Haas <[email protected]>
Date: Tue, 20 Dec 2005 12:25:49 +0100

Hi, Serassio et al...

thank you very much for the pointers.

On Monday 19 December 2005 23:42, Serassio Guido wrote:
> At 14.01 19/12/2005, Christoph Haas wrote:
> > we have just spent two days hunting down a phenomenon regarding
> > external ACLs. I suspect a bug so I'll be a bit more verbose.
> [...]
> You need some simple logical changes in your ACLs, the following
> should work, I hope ... :-)
>
> acl our_networks src put_your_local_network_here
>
> http_access deny !ldap-auth
> http_access deny !ldapgroup-allowed our_networks
> http_access allow all

If I remember correctly it's always the "last ACL" that finally triggers.
So that if I write "http_access deny A B C" it's the 'C' ACL which is the
"cause" for the denial (like I need to configure a "deny_info" for the 'C'
ACL here to make that work).

So if that's true I would have to replace

=> http_access deny !ldapgroup-allowed

...by...

=> acl dummy_acl src 0.0.0.0/0.0.0.0
=> http_access deny !ldapgroup-allowed dummy_acl

...just to make the "dummy_acl" match without triggering reauthentication?

That just looks ugly to me. But okay. :)

What's confusing in
http://www.squid-cache.org/mail-archive/squid-users/200511/0339.html
(Hendrik):

| Squid prompts for login credentials if the user is denied access by an
| authentication related acl (proxy_auth, proxyauth_regex, external using
| %LOGIN).

External using %LOGIN? When I use LDAP groups for authorization (not
authentication) purposes I need the '%LOGIN'. Example from our
configuration:

=> external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ...

I need the '%LOGIN' here since the username is passed to the
squid_ldap_group external helper to find out whether the user is member of
a certain group. Currently I can't see why this is handled like it's an
"authentication". How can I work around this?

I'm willing to accept any changes but I'd like to understand the whys and
hows. Thanks in advance.

 Christoph

-- 
~
~
".signature" [Modified] 2 lines --100%--                2,41         All
Received on Tue Dec 20 2005 - 04:25:57 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST