[squid-users] http_reply_access & LDAP external acl

Hi,

I'm using squid-2.5.STABLE5-20040419 and OpenLDAP 2.1.29 an RedHat
Professional WS.
I want to restrict access to certain MIME-Types on a per-user(Group)-level.
The basic idea is to have a group of users that are allowed to access html,
images css, javascript only and another group ("admins") that is allowed
to access everything.
My user accounts are stored in the LDAP directory.

For testing purposes I tried the following setup:
-------------------------------------
auth_param basic program /opt/squid/libexec/squid_ldap_auth -b
"dc=sk,dc=de" -f "(cn=%s)" -D "cn=Manager,dc=sk,dc=de" -w "****" -h
myldaphostname -v 3
auth_param basic children 1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
[...]
acl users proxy_auth REQUIRED
external_acl_type ldap_group_helper %LOGIN
/opt/squid/libexec/squid_ldap_group -d -D "cn=Manager,dc=sk,dc=de" -w "
****" -v 3 -h myldaphostname -b "dc=sk,dc=de" -B "dc=sk,dc=de" -f "
(&(objectclass=groupOfNames)(cn=%a)(member=%v))" -F "(sn=%s)"
acl admins external ldap_group_helper admins
acl htmltyp rep_mime_type text/html
acl giftyp rep_mime_type image/gif
acl all src 0.0.0.0/0.0.0.0
[...]

http_access allow users
http_access deny all

http_reply_access allow users htmltyp
http_reply_access allow admins
http_reply_access deny all
--------------------------------------

This should allow access to pure HTML for any authenticated user and
additionally allow acces to gif-images for members of the "admins" group.
But it does not. Turning on some debugging produced the result that the
rule "http_reply_access allow admins" never matches , even if the
authenticated user is a member of the admins group.

The LDAP stuff itself seems to be correct. I checked that with the
following config:

http_access allow admins
http_access deny all

(and leave out the extra http_reply_acess)

This works as expected (i.e. members of the admins group are granted
access, all others are denied access).

It seems like the problem only occurs in conjunction with the
http_reply_access.

Any ideas? (My current workaround is a script that reads the admins group
from the LDAP-directory and writes the members into a file. Told squid to
read the "admins" acl from the file instead of the LDAP-directory. That
basically works but is not really elegant )

Disclaimer

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen
enthalten. Wenn Sie nicht der beabsichtigte Empfänger sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender tele-
fonisch oder per E-Mail und löschen Sie diese E-Mail aus Ihrem System. Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet. Wir haften nicht für die Unversehrtheit von E-Mails, nachdem sie
unseren Einflussbereich verlassen haben.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error) please
notify the sender immediately by call or e-mail and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. We are not responsible for the integrity of
e-mails after they have left our sphere of control.
Received on Wed Apr 21 2004 - 04:13:05 MDT