[squid-users] External ACL with Ident

Hi Guys,

I have a fairly unique squid setup that I still cannot get working 100%. I
am hoping someone on this list may have a similar setup, or be able to
shine some light on what it is I am doing wrong. Here goes:

Every workstation in the building runs the IDENTD service under windows.
This has been confirmed as working, and squid is able to lookup the
username without problems. Occasionaly a workstation's IDENTD service will
die, and there are also a few users who are using Laptops that do not have
IDENTD installed.

We have a central Novell Netware system which is running LDAP (eDirectory)
and we place all our users into a group called 'InternetAccess'. I have
also written two programs in C for interfacing with the LDAP database
(external authenticators). The first attempts to bind to LDAP using the
username/password specified by the user, and then it checks to see if the
user is a member of 'InternetAccess'. The second program simply checks to
see if the username exists and is in the 'InternetAccess' group.

In the first instance, I need squid to perform an ident request for the
user. It must then pass this ident response (if any) to my C program to see
if the user is a real user and is in the correct group. If all is well,
accept the user, and record all site visits in the log file.

Failing that, squid should popup the proxy_auth box and request the
username and password for the user. Pass this info off to the C program and
attempt to bind to the LDAP tree with the given credentials.

This is what my ACL lines look like:

auth_param basic program /usr/local/squid/bin/ldap_acis
external_acl_type ausaid %IDENT /usr/local/squid/bin/ident_acis
acl all src 0.0.0.0/0.0.0.0
ident_lookup_access allow all
acl all ident REQUIRED
acl ident_auth external ausaid REQUIRED
acl ldap_auth proxy_auth REQUIRED
http_access allow ident_auth
http_access allow ldap_auth
http_access deny all

First of all, in this configuration squid does not seem to wait for the
ident reply and I am getting the username/password box. If I ignore it and
keep hitting refresh, eventually it gets a response and caches the info
(allowing me to the internet from then on).

Second of all, if I add any ACLs to check things like dst address (we would
like to allow ALL users access to a few sites), then squid behaves
erratically.

Any sort of help or push in the right direction would be great!

Thanks in advance,

Nathan

-------------------------------------------------------------
Nathan Le Nevez
Information Technology Section
Australian Agency for International Development
Phone: 61 2 6206 4332
Fax: 61 2 6282 4328
Email: nathan_lenevez@ausaid.gov.au

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************
Received on Wed Jun 11 2003 - 23:45:01 MDT