Re: [squid-users] Using LDAP authentication only on one cache_peer in Squid 3 STABLE 16

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Nov 2009 20:59:15 +1300

Eric Van Steenbergen wrote:
> Hello all,
>
> I'm trying to configure Squid to ask for authentication using LDAP but
> ONLY on one cache_peer. Before I had it activated on all servers and
> it worked perfectly. All the other webservers however have their own
> authentication except this wiki.
>
> This is what I have in my squid.conf in regards to this particular site.
> Code:
>
> cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki
>
> acl site_wiki dstdomain wiki.tradisa.com
> cache_peer_access wiki allow site_wiki
> auth_param basic program /lib/squid3/squid_ldap_auth -R -b
> "dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "ldapuser"
> -f sAMAccountName=%s -h 172.25.XXX.XXX
>
> auth_param basic children 1
> auth_param basic credentialsttl 5 minutes
> cache_peer_access wiki deny all
> acl wiki_users proxy_auth REQUIRED
> cache_peer_access wiki allow wiki_users

Taking the above config and erasing unused lines we end up with:

   cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki

   acl site_wiki dstdomain wiki.tradisa.com

   cache_peer_access wiki allow site_wiki
   cache_peer_access wiki deny all

>
>
> http_access allow wiki_users
>
> http_access deny all
>
> however I go straight to the website without it asking for
> authentication. If I put in the http_access rules as at the end of the
> 'code' part then authentication gets asked for all the sites. How
> would I go about just configuring this one server so that it asks for
> authentication?

You are missing all sorts of important config lines. Such as whether or
not any other peers of this proxy are accepting site_wiki traffic

>
> LDAP authentication is working perfectly, it's just an error in my
> definition as stated above. I'm missing something but I cannot see it.
> Of course IPs and names have been changed before posting.
>
> All help is greatly appreciated.

http://wiki.squid-cache.org/SquidFaq/SquidAcl

cache_peer_access is a 'fast' group ACL. It cannot kick off and wait for
authentication.
   http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs

Authentication needs to happen in the http_access instead.

   cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki

   cache_peer_access wiki allow site_wiki
   cache_peer_access wiki deny all

   http_access allow site_wiki wiki_users

To safely operate your Squid you _really_ need to know how that works
and why:
   http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15
Received on Tue Nov 24 2009 - 08:06:11 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST