Re: [squid-users] deny access with squid_ldap_group from Amos Jeffries on 2009-09-16 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 16 Sep 2009 22:26:16 +1200

vincent.blondel_at_ing.be wrote:
> Hello,
>
> I am trying to block Internet access for people member of one specific
> AD Security group called GSIFBENoInternetAccess but I get some issue
> with it.
>
> When I try the squid_ldap_group process from shell, the mechanism is
> working well. my service account correctly requests our Active Directory
> and gives the right response ERR/OK.
>
> When I try this mechanism from squid process, allow/deny is working well
> but before being blocked by squid_ldap_group I also receive an
> authentication popup box .. I simply press on CANCEL and receives the
> personalized error page.
>
>
> I have read on the net this may come from multiple authentication but I
> do not see this in my case and if this is the case thks to explain me
> what's wrong with this .. Is this coming from the line with ntlmauth
> just afterwards and how is this this possible to make this working
> without the authentication box ??

Yes it is.

>
> # my config
>
> ...
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 32
> auth_param ntlm keep_alive on
> acl ntlmauth proxy_auth REQUIRED
> ...
> external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN
> /usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S +
> acl GSIFBENoInternetAccess external gg_nointernet GSIFBENoInternetAccess
> ...

Replace this:

> http_access deny GSIFBENoInternetAccess
> deny_info ERR_LDAP GSIFBENoInternetAccess

with this:

   # maybe needed to force credentials to be present
   #
   http_access deny !ntlmauth

   # do the group checking and custom denial page
   # without another auth popup.
   #
   acl ldapErrPage src all
   deny_info ERR_LDAP ldapErrPage
   http_access deny GSIFBENoInternetAccess ldapErrPage

> http_access allow ntlmauth
> http_reply_access allow all
> http_access deny all
>
>
> many thks to help me.
> Vincent.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13

Received on Wed Sep 16 2009 - 10:26:28 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT