Re: [squid-users] squid3 two ldap groups

On 11/06/2013 2:49 a.m., osmany_at_eti.biocubafarma.cu wrote:
> Hi,
>
> I've succcessfully made squid authenticate against an AD environment
> but now I would like to use access groups I've defined in the AD
> itself. I have an group called Internet and another called somesites.
> Internet group would have full internet access as it's name suggests
> and somesites group would have access to a limited number of sites.
> This is what I have so far in my squid.conf
>
> external_acl_type Group ttl=1 %LOGIN /usr/lib/squid3/squid_ldap_group
> -d -R -K -b dc=domain,dc=com -D squid_at_domain.com -W
> /etc/squid3/ldappass -f
> (&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users,dc=domain,dc=com))
> -h dc1.domain.com
>
> acl password proxy_auth REQUIRED
> acl GroupInternet external Group internet
> acl Groupsomesites external Group somesites
> acl sites dstdomain /etc/squid3/sitesfile
>
> http_access allow sites password Groupsomesites
> http_access allow password GroupInternet
>
> http_access deny all
>
> So far what I've achieved was that squid asks for the first group but
> it does not ask for the second group. At least that's what the cache
> log tells me when I put it in debug level 9.
>
> It asks for "user somesites" when it validates the first http_access
> but when it goes to the second http_access it doesn't ask for "user
> internet", it's like it doesn't know what to do with it.
>
> the version of squid is 3.1.19 by the way.
>
> Please help me with this. I am stuck.

Can you upgrade? the code relating to this has undergone significant
changes since your version.

Not getting a query at all to the helper does look like a bug. The first
step is to test the latest release to ensure it has not already been
resolved in the year or so since your release was published. Any patches
which you receive from the development team will be built on the current
supported version (which is 3.3.5 today).

Amos
Received on Tue Jun 11 2013 - 07:37:38 MDT