The setup that i have is in collaboration between zimbra and samba.
the users are created in posix accounts and have to belong to either
Admins or Users who are translated to Domain Admins Domain Users
respectively. Hence want to allow the Admins but deny the Users.
The bannedips "acl bannedips dstdomain .facebook.com"
On Tue, Feb 23, 2010 at 12:57 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Kevin Kimani wrote:
>>
>> oops had left out tthe deny part
>>
>> acl ldapauth proxy_auth REQUIRED
>> acl InetAccess external InetGroup Admins
>> acl InetDeny external InetGroup Users
>>
>> http_access deny InetDeny
>> http_access deny bannedips
>> http_access allow InetAccess
>> http_access allow my_network
>>
>> When i do this, all are blocked from accessing the internet either
>> from group Admin or users.
>
> Then I guess your "Admin" users is also a member of "Users" or is using one
> of the "bannedips".
>
> If not that then its something else in the config which you are not showing.
>
> Amos
>
>>
>> On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Kevin Kimani wrote:
>>>>
>>>> Find below the configurations placed in my config file
>>>>
>>>> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
>>>> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
>>>> -h 192.168.111.130
>>>> auth_param basic realm Squid proxy-caching web server
>>>> auth_param basic credentialsttl 2 hour
>>>>
>>>> external_acl_type InetGroup ttl=300 %LOGIN
>>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
>>>> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
>>>> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130
>>>>
>>>> acl ldapauth proxy_auth REQUIRED
>>>> acl InetAccess external InetGroup Admins
>>>>
>>>> http_access allow InetAccess
>>>> http_access allow my_network
>>>>
>>>> For authentication of a single user it works since it asks for
>>>> authentication but group authentication it aint.
>>>
>>> There is nothing in that http_access list to prevent access. Everyone who
>>> is
>>> ether an "Admin" group or "my_network" has full access.
>>>
>>> You need either:
>>> 1) if you want a whole group bocked: an additional "acl InetDenied
>>> external
>>> InetGroup ..." for the group(s).
>>>
>>> or
>>> 2) if you want individuals blocked: an "acl InetDenied proxy_user ..."
>>> listing the usernames.
>>>
>>> ... along with "http_access deny IdentDenied" to prevent the selected
>>> users
>>> having web access. Probably right after the admin permit line.
>>>
>>> Amos
>>>
>>>> Regards
>>>>
>>>>
>>>> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>
>>>>> Kevin Kimani wrote:
>>>>>>
>>>>>> Hi all,
>>>>>> Am having a problem trying to authenticate a group that i have set up
>>>>>> in my zimbra mail server. the users are stored in an ldap database
>>>>>> thus thought that authentication would just be the same as other ldap
>>>>>> databases. am able to authenticate users in singular but want to barr
>>>>>> some users in a particular group. the command i have is letting
>>>>>> everyone access the internet. "external_acl_type InetGroup %LOGIN
>>>>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
>>>>>> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
>>>>>> would anyne have an idea how to go about it? am in terrible need for
>>>>>> it
>>>>>> to
>>>>>> work.
>>>>>> Regards
>>>>>
>>>>> external_acl_type merely runs a lookup helper, you have additional
>>>>> "acl"
>>>>> lines specifying how its used and various http_access lines as well
>>>>> specifying how the acl lines affect peoples HTTP requests.
>>>>> We need to know all those other lines to tell what/why you have this
>>>>> problem.
>>>>>
>>>>> Amos
>>>>> --
>>>>> Please be using
>>>>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
>>>>> Current Beta Squid 3.1.0.16
>>>>>
>>>
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
>>> Current Beta Squid 3.1.0.16
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
> Current Beta Squid 3.1.0.16
>
Received on Tue Feb 23 2010 - 11:09:45 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 23 2010 - 12:00:06 MST