[squid-users] Squid/LDAP re-challenges browser on http_access deny

From: Dion Beauglehall <BeauglehallD_at_vermontsc.vic.edu.au>
Date: Thu, 10 Sep 2009 10:55:58 +1000

Hi,

I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups.

However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do.

I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file.

I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser.

As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative.

Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access.

Any suggestions or ideas are appreciated.

Regards,
Dion

auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ......
auth_param basic children 5
auth_param basic realm VSC
auth_param basic credentialsttl 5 minutes

external_acl_type ldapgroup &LOGIN ......

acl ldap-auth proxy_auth REQUIRED

acl accessdenied external ldapgroup InternetAccessDeny
acl accessallowed external ldapgroup InternetAccess

http_access deny accessdenied
http_access allow accessallowed
http_access deny all
Received on Thu Sep 10 2009 - 00:56:06 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 10 2009 - 12:00:02 MDT