Re: [squid-users] ldap groupofnames authentication

Hi,
I think I didn't explain myself very well :(

Here is what I have:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth \
                                                        -h
ldap://ldap.some.org.au \
                                                        -b
"ou=people,dc=some,dc=org,dc=au,o=Internet" \
                                                        -D
"cn=admin,o=Internet" \
                                                        -w "password" \
                                                        -u cn
external_acl_type ldap_group %LOGIN
/usr/local/squid/libexec/squid_ldap_group \
                                                        -h
ldap://ldap.some.org.au \
                                                        -D
"cn=admin,o=Internet" \
                                                        -w "password" \
                                                        -b
"ou=groups,dc=some,dc=org,dc=au,o=Internet" \
                                                        -f
"member=cn=%v,ou=people,dc=some,dc=org,dc=au,o=Internet"

acl localusers proxy_auth REQUIRED
acl proxy_users external ldap_group proxygrp

http_access deny !proxy_users
http_access allow localusers

In this configuration entering a username which is in the proxygrp in LDAP
gets access even if the password is wrong, if I swap the http_access rules
around then a username given with the right password will get access even
if they are not a member of the proxygrp, removing the deny ! proxy_users
line also results in the proxygrp not being checked. That is what I meant
by "compete". I need them to be a member of the proxygrp _and_ know their
password.

Thanks for your patience and your help!

regards
Murray

__________________________________________________
Unix System Administrator, CSC
Ph: 08-9429-6780 Email: mbarton2@csc.com.au

----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the
addressee(s) and may contain confidential and/or personal information and
may also be the subject of legal privilege. Any personal information
contained in this email is not to be used or disclosed for any purpose
other than the purpose for which you have received it. If you are not the
intended recipient, you must not disclose or use the information contained
in it. In this case, please let me know by return email, delete the
message permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------

Henrik Nordstrom <hno@squid-cache.org>
21/02/2003 07:35 PM

 
        To: mbarton2@csc.com.au
        cc: squid-users@squid-cache.org
        Subject: Re: [squid-users] ldap groupofnames authentication

http_access rules never compete with each other.

http_access is a ordered list of rules. The first rule which matches the
request tells if it is to be allowed or denied.

Your two rules is perfectly fine, but the first is strictly not required
as it is also enforced by the second..

The first rule denies any user who have not authenticated himself.

The second allows users who have authenticated themselves and belong to
the proper LDAP group.

Regards
Henrik

fre 2003-02-21 klockan 10.16 skrev mbarton2@csc.com.au:
> Thanks for the quick response... I think you are going to need to be
> patient with me a little longer though...
>
> If I have ACL's like
> acl localusers proxy_auth REQUIRED
> acl proxy_users external ldap_group proxygrp
>
> the rules for http_access "compete" with each other-
> http_access deny !proxy_users
> http_access allow localusers
>
> Which bit of the puzzle am I still missing?
>
> Thanks & regards
> Murray
>
> __________________________________________________
> Unix System Administrator, CSC
> Ph: 08-9429-6780 Email: mbarton2@csc.com.au
>
>
----------------------------------------------------------------------------------------
> This email, including any attachments, is intended only for use by the
> addressee(s) and may contain confidential and/or personal information
and
> may also be the subject of legal privilege. Any personal information
> contained in this email is not to be used or disclosed for any purpose
> other than the purpose for which you have received it. If you are not
the
> intended recipient, you must not disclose or use the information
contained
> in it. In this case, please let me know by return email, delete the
> message permanently from your system and destroy any copies.
>
----------------------------------------------------------------------------------------
>
>
>
>
>
> Henrik Nordstrom <hno@squid-cache.org>
> 21/02/2003 04:21 PM
>
>
> To: mbarton2@csc.com.au, squid-users@squid-cache.org
> cc:
> Subject: Re: [squid-users] ldap groupofnames
authentication
>
>
> On Friday 21 February 2003 08.48, mbarton2@csc.com.au wrote:
>
> > So... how *do* I get squid_ldap_group to check that user_name is a
> > member of proxygrp *and* authenticate them like I did with
> > squid_ldap_auth?
>
> You make use of both.
>
> squid_ldap_auth in the "auth_param basic .." directive,
> squid_ldap_group in the "external_acl_type ..." directive.
>
> Then they will automatically cooperate to first authentictate the
> users login+password, and then authorize the user based on his group
> memberships.
>
> Regards
> Henrik

--
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden