Re: [squid-users] Squid ldap group authentication with Zimbra LDAP

From: Kevin Kimani <kevinkimani_at_gmail.com>
Date: Tue, 23 Feb 2010 12:49:30 +0300

oops had left out tthe deny part

acl ldapauth proxy_auth REQUIRED
acl InetAccess external InetGroup Admins
acl InetDeny external InetGroup Users

http_access deny InetDeny
http_access deny bannedips
http_access allow InetAccess
http_access allow my_network

When i do this, all are blocked from accessing the internet either
from group Admin or users.

Regards

On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Kevin Kimani wrote:
>>
>> Find below the configurations placed in my config file
>>
>> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
>> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
>> -h 192.168.111.130
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hour
>>
>> external_acl_type InetGroup ttl=300 %LOGIN
>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
>> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
>> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130
>>
>> acl ldapauth proxy_auth REQUIRED
>> acl InetAccess external InetGroup Admins
>>
>> http_access allow InetAccess
>> http_access allow my_network
>>
>> For authentication of a single user it works since it asks for
>> authentication but group authentication it aint.
>
> There is nothing in that http_access list to prevent access. Everyone who is
> ether an "Admin" group or "my_network" has full access.
>
> You need either:
> �1) if you want a whole group bocked: an additional "acl InetDenied external
> InetGroup ..." for the group(s).
>
> or
> 2) if you want individuals blocked: an "acl InetDenied proxy_user ..."
> listing the usernames.
>
> ... along with "http_access deny IdentDenied" to prevent the selected users
> having web access. Probably right after the admin permit line.
>
> Amos
>
>>
>> Regards
>>
>>
>> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Kevin Kimani wrote:
>>>>
>>>> Hi all,
>>>> Am having a problem trying to authenticate a group that i have set up
>>>> in my zimbra mail server. the users are stored in an ldap database
>>>> thus thought that authentication would just be the same as other ldap
>>>> databases. am able to authenticate users in singular but want to barr
>>>> some users in a particular group. the command i have is letting
>>>> everyone access the internet. "external_acl_type InetGroup %LOGIN
>>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
>>>> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
>>>> would anyne have an idea how to go about it? am in terrible need for it
>>>> to
>>>> work.
>>>> Regards
>>>
>>> external_acl_type merely runs a lookup helper, you have additional "acl"
>>> lines specifying how its used and various http_access lines as well
>>> specifying how the acl lines affect peoples HTTP requests.
>>> �We need to know all those other lines to tell what/why you have this
>>> problem.
>>>
>>> Amos
>>> --
>>> Please be using
>>> �Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
>>> �Current Beta Squid 3.1.0.16
>>>
>
>
> --
> Please be using
> �Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
> �Current Beta Squid 3.1.0.16
>
Received on Tue Feb 23 2010 - 09:49:59 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 23 2010 - 12:00:06 MST