Joseph L. Casale wrote:
> I am trying to supplement squid_kerb_auth with squid_ldap_group, from
> the cli, my external_acl_type string works fine, username and group
> pairs return expected results.
>
> Disregarding the ldap group check, the following authenticates correctly:
>
> acl auth proxy_auth REQUIRED
>
> http_access deny !auth
> http_access allow auth localnet
> http_access deny all
>
> But when I modify it as follows it breaks:
>
> external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group <...>
>
> acl auth proxy_auth REQUIRED
> acl acl_ldap external ldapgroup adGroup
>
> http_access deny !auth
> http_access allow auth acl_ldap localnet
> http_access deny all
>
> Anyone see what I have done wrong?
>
> Thanks,
> jlc
Perhapse the fact that Kerberos works with anonymous binary blobs? no
username in sight.
Or if not that, something in the elided section "<...>".
The bare http_access logic is fine but assumes the LDAP group helper can
handle what Kerberos uses for a username.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15Received on Mon Feb 01 2010 - 09:31:43 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 01 2010 - 12:00:05 MST