Hi,
Squid-2.5.STABLE1.
My organisation needs to regulate both internet access and binary downloads.
Authentication is NTLM and then LDAP group membership is checked. A member of
the internet-access group can get most places, and a member of the
internet-downloads group can get EXEs and other nasties. Previously downloads
were controlled with regexes but using rep_mime_type acls seems much better
suited to the task.
My problem: In short, I can't use ldap groups to grant/deny access to certain
MIME types.
It seems external acl helpers which take username as an argument must be of
type %LOGIN. A side effect is that require_auth is set and therefore an
authentication check is performed before the external helper is called. Since
I'm doing a http_*reply*_access check for the MIME type, it fails
(understandably) with a "no connection data" message in the cache log.
} else if (strcmp(token, "%LOGIN") == 0) {
format->type = EXT_ACL_LOGIN;
a->require_auth = 1;
But adding a custom type foobar seemed to work (external_acl.c)
} else if (strcmp(token, "%FOOBAR") == 0) {
format->type = EXT_ACL_LOGIN;
a->require_auth = 0;
Is there a simpler solution?
Is it sensible to use external helpers on reply checks? Side effects?
Has anyone else been down this road?
TIA
Gerard
Received on Wed Nov 13 2002 - 02:04:03 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:18 MST