[squid-users] ext_user ACL

From: Wladner Klimach <wladner_at_gmail.com>
Date: Wed, 8 Feb 2012 16:46:04 -0200

Hello,

I'm trying to use ext_user type of ACL but for some reason it isn't
matching. Look at my cache.log message with debug_options set up:

 ACL::ChecklistMatches: result for 'restrictedDomains' is 1
2012/02/08 16:24:40.553| ACLList::matches: result is true
2012/02/08 16:24:40.553| ACLList::matches: checking restrictUsers
2012/02/08 16:24:40.553| ACL::checklistMatches: checking 'restrictUsers'
2012/02/08 16:24:40.553| ACL::ChecklistMatches: result for 'restrictUsers' is -1
2012/02/08 16:24:40.553| ACLList::matches: result is false
2012/02/08 16:24:40.553| aclmatchAclList: 0x7f491617bab8 returning
false (AND list entry failed to match)

I using this because I need to group autheticated users in order to
create ACLs to restrict this groups. I've used proxy_auth instead of
ext_user and worked out but I don't know if this is apropriate in
terms of performance, isn't it? Here is my squid.conf:

# KERBEROS - Integracao completa com AD
auth_param negotiate program
/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
 -s HTTP/trotsky.redecamara.camara.gov.br
auth_param negotiate children 10
auth_param negotiate keep_alive on

# ACLs externas para buscar grupo baseado em Kerberos.
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
californio.redecamara.camara.gov.br -g
Internet_at_REDECAMARA.CAMARA.GOV.BR
##################
visible_hostname trotsky.redecamara.camara.gov.br
dns_nameservers 127.0.0.1
append_domain .camara.gov.br
hierarchy_stoplist cgi-bin ?
# Recommended minimum configuration:
#
acl AUTENTICADO proxy_auth REQUIRED
acl ldap_group_check external squid_kerb_ldap
acl Maquinas_Portaria src "/etc/squid/Maquinas_Portaria.txt"
acl Horario_Portaria time MTWHF 7:00-20:00
http_access deny Maquinas_Portaria Horario_Portaria
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
http_access allow localhost
acl Horario_youtube time TWH 9:00-20:00
acl bloqueio-youtube dstdomain www.youtube.com
http_access deny bloqueio-youtube Horario_youtube
acl restrictUsers ext_user P_7501_at_REDECAMARA.CAMARA.GOV.BR
acl restrictedDomains url_regex -i "/etc/squid/InstantMessenger"
http_access deny restrictedDomains restrictUsers
http_access allow ldap_group_check
http_access deny all

I hope someone can help me!

regards,

Wladner
Received on Wed Feb 08 2012 - 18:46:12 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 11 2012 - 12:00:02 MST