Re: [squid-users] external_acl_type + squid_ldap_auth

From: Rafael Gomes <rafaelgomes_at_techfree.com.br>
Date: Wed, 29 Aug 2012 16:42:02 -0300

Thanks guys!

My problem was solved by answer of Amos.

On Tue, Aug 28, 2012 at 7:30 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 28/08/2012 9:18 a.m., Eliezer Croitoru wrote:
>>
>> On 8/27/2012 11:23 PM, Rafael Gomes wrote:
>>>
>>> acl rafael external check_user rafael.gomes
>>> http_access deny rafael
>>
>> you must understand that the check is yes\no match.
>> it will request usename for:
>> http_access deny rafael
>>
>> so if you have wrong username squid will move on to the next acl since the
>> username is not a match to "rafael" acl.
>
>
> Worse than this. You need the username details to supply %LOGIN. Which in
> turn is used to determine what the username details are...
>
> So Squid must already be aware of the username, finished performing
> authentication in order to start calling ths ACL test.
>
> There are two choices:
> 1) If you are already authenticating everyone. Create an "acl rafael
> proxy_auth rafael" test. That ACL will check the credentials and match only
> for that one user. So when you use it make sure its not on the end of the
> line (eg test it with "http_access deny rafael all" to prevent popups)
>
> 2) use a "fake" authentication helper (bundled now with squid 3.2) to accept
> any garbage they send. It will still request credentials from the browser
> though. User "Rafael" could simply send username "annie" and get past this
> type of security block.
>
>
> Amos

-- 
Rafael Gomes
Consultor em TI
LPIC-1 MCSO
(71) 8318-0284
Aten��o: Este e-mail pode conter anexos no formato ODF (Open Document
Format)/ABNT (extens�es odt, ods, odp, odb, odg). Antes de pedir os
anexos em outro formato, voc� pode instalar gratuita e livremente o
BrOffice (http://www.broffice.org).
Received on Wed Aug 29 2012 - 19:42:10 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 30 2012 - 12:00:04 MDT