[squid-users] ACL ordering problem

From: Rolf Loudon <rolf@dont-contact.us>
Date: Wed, 7 May 2008 15:42:50 +1000

hello

I cannot seem to get an ACL sequence to work as I expect it to (using
2.6stable9).

I have right at the start of the config:

acl authenticated_user proxy_auth REQUIRED
then
acl no_auth_unrestricted dstdomain "/usr/local/squid/
no_authentication_required"
http_access allow no_auth_unrestricted

the file referenced contains a simple list of domain names.

Further down I have a reference to an Active Directory Group
membership test:

acl ge_users external ADdomainGroup
cn=GEUsers,cn=users,dc=example,dc=com
acl ge_sites "/usr/local/squid/ge_sites"
http_access allow ge_users ge_sites authenticated_user

The external acl ADdomainGroup is defined as:

external_acl_type ADdomainGroup ttl=900 %LOGIN /usr/lib/squid/
squid_ldap_group -b "<searchbase>" -f (&(cn=%u)(memberOf=%g)
) -H "ldap://ldaphost1/ ldap://;ldaphost2/" -S -D <bindUsername> -
w"password"

The checking of group membership against AD has worked perfectly for
years and has never been an issue.

If I try to go to a site in the "no authentication required" list at
the top I simply get a 403 in the logs and the "access control
prevents access" etc message. Why does it not simply allow the request?
If I then go to a site that requires authentication, not necessarily
the "ge_sites", but any other allow that has authenticated_user as
part of the conditions, then the 407 is sent, I enter the credentials
and get to the site. Then returning to try a site as above that does
not require auth, the site loads ok and the logs show the browser has
sent the credentials.

If I remove the acl and http_access for ge_users that talks to AD, the
sites requiring no authentication load as expected without need to
send credentials.

How do I arrange the ACLs so that sites that require no authentication
get allowed?

I have tried looking at the output of debug_options ALL,1 33,2 but
have not been able to find the problem.

many thanks

rolf.
Received on Wed May 07 2008 - 05:43:04 MDT

This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:03 MDT