On Friday 04 July 2003 17.15, Diego Rivera wrote:
> On Fri, 2003-07-04 at 04:24, Henrik Nordstrom wrote:
> > Not only. The proxy_auth and proxy_auth_reges acl types also
> > supports a kind of groups, but not external such.
>
> I understand how proxy_auth_regex could be able to do this, but I
> don't see an example of it. Could you provide me with a short one
> to give me a clear idea of what you mean here?
Some examples:
acl proxy_auth group1 "/path/to/file/listing/users/in/group1"
acl proxy_auth group2 "/path/to/file/listing/users/in/group2"
acl proxy_auth_regex domain1 @example\.com$
acl proxy_auth_regex domain2 @example\.org$
Or to detail: The proxy_auth and proxy_auth_regex matches against the
users authenticated user name. Both define a list of possible
matches. The proxy_auth type also defines the magic login name match
REQUIRED which matches any user name to simplify the case of all
users.
Neither of these acl types is responsible for performing the actual
authentication. Authentication occurs as a sideeffect from these acl
types requiring a valid user name. Because Squid requires
authentication to be able to process a proxy_auth acl type
authentication will be required as soon as it encounters such acl in
http_access.
> If the external_acl_type definition gives the helper arguments (or,
> rather, an argument set format), would the 'acl external' clause
> then offer additional arguments, or just the arguments to fill
> those expected by external_acl_type?
Additional arguments.
external_acl_type sets what information from the requests should be
sent to the helper, plus any command line arguments which need to be
sent to the helper.
the acl clause adds to this additional information related to the
specific acl, for example group names etc.
> Is all this documented extensively outside the conf file? Where
> might I find examples of this?
Some info can be found on http://devel.squid-cache.org/external_acl/,
but most of this is in squid.conf.default already.
There is also documentation included in each helper shipped with Squid
on how to configure Squid to use that helper. Most use a combination
of external_acl_type to define the helper and acl external to define
acls making use of the logics provided by the helper.
The typical example of external acls is group helpers. In such case
external_acl_type defines the specific group helper much like
auth_param defines a authentication helper, and acl external defines
lists of groups to match, typically something like this example for
LDAP groups
external_acl_type LDAP_group %LOGIN /path/to/ldap_group [cmdline args]
acl group_Marketing external LDAP_group Marketing
In which case the helper will be asked if the user belongs to the
group Marketing when Squid encounters the acl group_Marketing in
http_access processing.
Regards
Henrik
Received on Fri Jul 04 2003 - 11:53:37 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:50 MST