Hi all,
Hi Tobias,
I have a problem with squid-2.3.STABLE4-ldap_auth (latest 2.3.STABLE4
with group_ldap_auth and latest patches for STABLE4) and ldap_auth with
2 groups. ( Linux 2.2.16, SuSE 7.0 )
User N4671 is uniquemember of cn=www-user and not uniquememeber of
cn=superuser.
squid/acl or ldap_auth checks only against group cn=superuser which ist
referenced first in squid.conf.
Is the squid.conf wrong ?
One group named superuser should access to FTP/HTTP/HTTPS. The other
group called www-user should only access to HTTP/HTTPS, but not any
.tar|.zip and so on.
Any ideas ?
----squid.conf----
acl HTTPS proto HTTPS
acl HTTP proto HTTP
acl FTP proto FTP
acl password ldap_auth REQUIRED
acl superuser ldap_auth static superuser
acl www-user ldap_auth static www-user
acl mydomain dstdomain .rasselstein-hoesch.de
acl mime dstdomain mime.rasselstein-hoesch.de
acl http_mime port 1081
acl unknown_content urlpath_regex -i \.(arc|arj)$
acl unknown_content urlpath_regex -i \.(bin|exe)$
acl unknown_content urlpath_regex -i \.(tar|rar|tgz|gz)$
acl unknown_content urlpath_regex -i \.(lha|arj)$
http_access allow FTP superuser
http_access allow HTTP superuser
http_access allow HTTPS superuser
http_access deny unknown_content www-user
http_access allow HTTP www-user
http_access allow HTTPS www-user
http_access deny all
----cache.log----
2001/03/21 16:58:15| aclMatchAcl: checking 'acl FTP proto FTP'
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: checking 'http_access allow HTTP
superuser'
2001/03/21 16:58:15| aclMatchAclList: checking HTTP
2001/03/21 16:58:15| aclMatchAcl: checking 'acl HTTP proto HTTP'
2001/03/21 16:58:15| aclMatchAclList: checking superuser
2001/03/21 16:58:15| aclMatchAcl: checking 'acl superuser ldap_auth
static superuser
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclMatchLdapAuth: checking user 'n4671'
2001/03/21 16:58:15| aclMatchLdapAuth: user 'n4671' not yet known
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: checking password via ldap authenticator
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclLookupLdapAuthStart: going to ask authenticator
about user
2001/03/21 16:58:15| aclLookupLdapAuthDone: result = f
2001/03/21 16:58:15| aclCheck: checking 'http_access allow HTTP
superuser'
2001/03/21 16:58:15| aclMatchAclList: checking HTTP
2001/03/21 16:58:15| aclMatchAcl: checking 'acl HTTP proto HTTP'
2001/03/21 16:58:15| aclMatchAclList: checking superuser
2001/03/21 16:58:15| aclMatchAcl: checking 'acl superuser ldap_auth
static superuser
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclMatchLdapAuth: checking user 'n4671'
2001/03/21 16:58:15| aclMatchLdapAuth: authentication failed for user
'n4671' group 'NONE'
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: match found, returning 2
2001/03/21 16:58:15| aclCheckCallback: answer=2
----/tmp/group_ldap_auth.log----
received n4671 xxx 1 s #superuser#
searching for user with filter (uid=n4671)
searching for static group superuser using filter (& (cn=superuser) (|
(objectclas
s=groupofuniquenames) (objectclass=groupofnames)))
user uid=N4671,ou=Andernach,o=RHG not found in group superuser
checkLdap returned 5
no search for www-user is done. why ?
Best Regards
-- Dirk Datzert Rasselstein Hoesch GmbH Informatik / Anwendungsentwicklung D-56626 Andernach Koblenzer Strasse 141 http://www.rasselstein-hoesch.de Tel.: +49 (0) 2631 81-4595 Fax.: +49 (0) 2631 81-15-4595 mailto:Dirk.Datzert@rasselstein-hoesch.de
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:46 MST