Terry Dobbs wrote:
> Hey
>
> I have a transparent proxy setup using squid, winbind, samba, etc... I
> got sick of manually blocking IP addresses from accessing the internet
> and stumbled across an article (thank god for google!) that allows
> access based on AD Group.
>
> It pretty much looks like...
>
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NoInternet external ntgroup NoInternet
>
> Then there is the http_access deny line that denies the NoInternet
> group.
>
> This seems to work fine, if a user belongs to the NoInternet group they
> are prompted for Username/Password and even if they put in the correct
> credentials they aren't allowed to go anywhere.
>
> My question is, instead of prompting for username/password if a user
> belongs to the group, how do I just redirect them to a page? No other
> time is my users prompted for authentication as it uses the NT "pass
> through" credentials, so not sure why it wants to prompt now.
>
> Hoping someone out there is doing something similar?
The credientials are asked again because auth is the last option to
complete the http_access rule.
There is a hack/workaround of adding 'all' as the last item on the line
which apparently prevents the credentials being sought if they fail the
first time.
I suspect your other rules go something like
http_access !noauth localnet
which has the same effect of not requesting again on failure.
Amos
Received on Wed Nov 28 2007 - 01:15:20 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST