RE: [squid-users] Anyone Use wbinfo_group.pl?

From: Terry Dobbs <[email protected]>
Date: Wed, 28 Nov 2007 09:31:12 -0500

What exactly do you mean?

Should I set it up like this?
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NoInternet external ntgroup NoInternet

http_access deny NoInternet ALL

So by default the last thing on the line is AUTH? What exactly does the
ALL do to make it not pop up (it appears to work btw).

Also, when changing group membership in AD, for the changes to take
effect would you have to reload squid, samba, and winbind? Is there
anyway (other than editing the default squid error page, to redirect
them if they are blocked? I do this with squidguard, not sure if its
possible with this script/squid.

Thanks

-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Wednesday, November 28, 2007 3:15 AM
To: Terry Dobbs
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Anyone Use wbinfo_group.pl?

Terry Dobbs wrote:
> Hey
>
> I have a transparent proxy setup using squid, winbind, samba, etc... I
> got sick of manually blocking IP addresses from accessing the internet
> and stumbled across an article (thank god for google!) that allows
> access based on AD Group.
>
> It pretty much looks like...
>
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NoInternet external ntgroup NoInternet
>
> Then there is the http_access deny line that denies the NoInternet
> group.
>
> This seems to work fine, if a user belongs to the NoInternet group
they
> are prompted for Username/Password and even if they put in the correct
> credentials they aren't allowed to go anywhere.
>
> My question is, instead of prompting for username/password if a user
> belongs to the group, how do I just redirect them to a page? No other
> time is my users prompted for authentication as it uses the NT "pass
> through" credentials, so not sure why it wants to prompt now.
>
> Hoping someone out there is doing something similar?

The credientials are asked again because auth is the last option to
complete the http_access rule.

There is a hack/workaround of adding 'all' as the last item on the line
which apparently prevents the credentials being sought if they fail the
first time.

I suspect your other rules go something like
   http_access !noauth localnet
which has the same effect of not requesting again on failure.

Amos
Received on Wed Nov 28 2007 - 07:29:15 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST