[squid-users] Antwort: Re: [squid-users] Squid LDAP authentication with 2003 AD

From: Saqib Khan \(horiba/eu\) <saqib.khan@dont-contact.us>
Date: Mon, 4 Sep 2006 13:16:08 +0200

Hi,
Thanx for the tip. I had to define an additional acl and than it worked.
Now the problem is that I would like to allow only members of a specific
group to access internet. For this I have the following line in my config
file.

external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b
"dc=domain,dc=eu" -D "cn=test1,cn=Users,dc=domain,dc=eu" -w "test1" -f "
(&(objectclass=person)(sAMAccountName=%v)(memberof=cn
=%a,ou=Users,dc=domain,dc=eu))" -h MyIPAddress

Under TAG:ACL
acl localnet proxy_auth REQUIRED src xxx.xxx.xxx.xxx/24
acl InetAccess external Internet Testgroup

Tag:http_access
http_access allow InetAccess

This is what i additionaly set up after which the internet was working
http_access allow localnet

I even defined a denygroup and added a test user but i still can access to
internet by using that user. I think somehow the syntax of group
authentication is not complete.

Best Regards,

Saqib
|-----------------------------+-------------------------------------------|
| Henrik Nordstrom | |
| <henrik@henriknordstrom.ne| |
| t> | An|
| | "Saqib Khan (horiba/eu)" |
| 01.09.2006 16:48 | <saqib.khan@horiba.com> |
| | Kopie|
| | squid-users@squid-cache.org |
| | Thema|
| | Re: [squid-users] Squid LDAP|
| | authentication with 2003 AD |
| | |
| | |
| | |
| | |
| | |
| | |
|-----------------------------+-------------------------------------------|

On Fri, 2006-09-01 at 15:07 +0200, Saqib Khan (horiba/eu) wrote:
>
> Hello List members,
>
> I am getting problem after authenticating a user over ldap. After getting
> authenticated I get the following error message:
>
> ERROR
> The requested URL could not be retrieved
>
>
> While trying to retrieve the URL: http://www.google.de/
>
> The following error was encountered:
>
>    Access Denied.

Which says that the request was denied your http_access directives (or
maybe http_reply_access or miss_access).

The authentication as such most likely worked fine.

Regards
Henrik
Received on Mon Sep 04 2006 - 05:13:11 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT