Re: [squid-users] Authentication bug with external ACLs in 2.5 STABLE 12?

From: Serassio Guido <[email protected]>
Date: Tue, 20 Dec 2005 17:12:39 +0100

Hi,

At 12.25 20/12/2005, Christoph Haas wrote:

>If I remember correctly it's always the "last ACL" that finally triggers.
>So that if I write "http_access deny A B C" it's the 'C' ACL which is the
>"cause" for the denial (like I need to configure a "deny_info" for the 'C'
>ACL here to make that work).
>
>So if that's true I would have to replace
>
>=> http_access deny !ldapgroup-allowed
>
>...by...
>
>=> acl dummy_acl src 0.0.0.0/0.0.0.0
>=> http_access deny !ldapgroup-allowed dummy_acl
>
>...just to make the "dummy_acl" match without triggering reauthentication?
>
>That just looks ugly to me. But okay. :)

Correct, similar to my example.

>What's confusing in
>http://www.squid-cache.org/mail-archive/squid-users/200511/0339.html
>(Hendrik):
>
>| Squid prompts for login credentials if the user is denied access by an
>| authentication related acl (proxy_auth, proxyauth_regex, external using
>| %LOGIN).
>
>External using %LOGIN? When I use LDAP groups for authorization (not
>authentication) purposes I need the '%LOGIN'. Example from our
>configuration:
>
>=> external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ...
>
>I need the '%LOGIN' here since the username is passed to the
>squid_ldap_group external helper to find out whether the user is member of
>a certain group. Currently I can't see why this is handled like it's an
>"authentication". How can I work around this?

After this patch, when you are using an external ACL with %LOGIN, you
don't need anymore the "http_access deny !ldap-auth" line, because
the authentication is triggered automatically, so your config will be:

==========================
external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ...

auth_param basic program /usr/lib/squid/ldap_auth ...

acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED
acl dummy_acl src 0.0.0.0/0.0.0.0

http_access deny !ldapgroup-allowed dummy_acl
http_access allow all
==========================

>I'm willing to accept any changes but I'd like to understand the whys and
>hows. Thanks in advance.

After this change, we can choice if have or don't have a new
authentication prompt after an external ACL deny. Before, this cannot be done.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Dec 20 2005 - 09:12:44 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST