Re: [squid-users] Authentication bug with external ACLs in 2.5 STABLE 12?

From: Christoph Haas <[email protected]>
Date: Tue, 20 Dec 2005 22:36:08 +0100

Guido...
(sorry for the name mixup but you swapped the first and last name of your
real name)

On Tuesday 20 December 2005 17:12, Serassio Guido wrote:
> At 12.25 20/12/2005, Christoph Haas wrote:
> >I need the '%LOGIN' here since the username is passed to the
> >squid_ldap_group external helper to find out whether the user is member
> > of a certain group. Currently I can't see why this is handled like
> > it's an "authentication". How can I work around this?
>
> After this patch, when you are using an external ACL with %LOGIN, you
> don't need anymore the "http_access deny !ldap-auth" line, because
> the authentication is triggered automatically, so your config will be:
>
> ==========================
> external_acl_type LDAP_group %LOGIN /usr/lib/squid/squid_ldap_group ...
>
> auth_param basic program /usr/lib/squid/ldap_auth ...
>
> acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED
> acl dummy_acl src 0.0.0.0/0.0.0.0
>
> http_access deny !ldapgroup-allowed dummy_acl
> http_access allow all
> ==========================

Makes sense. That has probably worked before, too, since LDAP_group needed
the user name (%LOGIN) to decide whether the ACL matches. But now it's
clear (to me).

> After this change, we can choice if have or don't have a new
> authentication prompt after an external ACL deny. Before, this cannot be
> done.

Currently I don't have a use for that feature. But perhaps one day I'll be
more thankful for it. Thanks for your time.

 Christoph

-- 
~
~
".signature" [Modified] 1 line --100%--                1,48         All
Received on Tue Dec 20 2005 - 14:36:12 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:03 MST