RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny

On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall"
<beauglehalld_at_vermontsc.vic.edu.au> wrote:
> Hi Amos,
>
> The changes you suggested worked perfectly. Thankyou. What I'm not
quite
> sure of is why. I assume in this context, the "all" at the end of the
line
> is not acting as a user list, but a URL list or something else?

It's an IP-based test doing a very fast catch-all. This changing the type
of ACL last seen at denial so Squid does not equate the deny with unusable
credentials and re-challenge.

Amos

>
> Regards,
> Dion
>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Thursday, 10 September 2009 11:30 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid/LDAP re-challenges browser on
http_access
> deny
>
> On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall"
> <BeauglehallD_at_vermontsc.vic.edu.au> wrote:
>> Hi,
>>
>> I’m configuring a squid proxy box with LDAP authentication, and ACLs
> based
>> on LDAP groups. I have the LDAP authentication working, as are groups.
>>
>> However, when I add a user to an “Access Denied” group, squid then
causes
>> the browser to bring up a authentication dialog box. Most squid
installs
> I
>> have seen bring up a squid “Cache Access Denied” screen at this point.
>> This is what I would like it to do.
>>
>> I am unsure if what I am experiencing is expected behaviour, or whether
I
>> have an error in my config file.
>>
>> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines
>> from squid.conf are below. Note that the LDAP works correctly, and so I
>> have not provided details. What is not acting as I expected is the
>> behaviour of Squid when it hits the “http_access deny accessdenied”
line.
>
>> This seems to be what re-challenges the browser.
>>
>> As we are a school, we need to ensure that both the user is a valid user
>> (from the initial challenge, which collects their machine login,
> invisible
>> to the user), and that they have not been denied for some reason (hence
> the
>> denied group). The re-challenge will lead to students logging into
squid
>> with their friends account. A Cache Access Denied screen is a much
> better
>> alternative.
>
> Yes it was a config issue.
> Re-writing your ACLs slightly to follow that exact logic as described
above
> should solve your problem.
>
>>
>> Note that once I have this working, there will be other “denied” groups
> to
>> deny on, prior to allowing access.
>>
>> Any suggestions or ideas are appreciated.
>>
>> Regards,
>> Dion
>>
>>
>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ......
>> auth_param basic children 5
>> auth_param basic realm VSC
>> auth_param basic credentialsttl 5 minutes
>>
>> external_acl_type ldapgroup &LOGIN ......
>>
>> acl ldap-auth proxy_auth REQUIRED
>>
>> acl accessdenied external ldapgroup InternetAccessDeny
>> acl accessallowed external ldapgroup InternetAccess
>>
>> http_access deny accessdenied
>
> Change the above line to:
> http_access deny accessdenied all
>
> ... which will produce the "Access Denied" page instead of a challenge.
>
> Any other denied groups need to go in here one to a line with "all" at
the
> end of each line.
>
>
> After all them add a new line:
> http_access deny !ldap-auth
>
> ... which will cause Squid to challenge if no credentials are given yet.
> People who have given _any_ valid credentials will not be asked twice.
> This action was being done as side-effect of the accessdenied ACL test,
but
> with the new version it needs to be done separately.
>
>
>> http_access allow accessallowed
>> http_access deny all
>
>
> Amos
>
> --- Scanned by M+ Guardian Messaging Firewall ---
Received on Mon Sep 14 2009 - 02:20:12 MDT