Re: [squid-users] Squid_ldap_group

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 28 Oct 2002 12:41:56 +0100

See your http_access rules. You are explicitly allowing all users access
before where you check group memberships..

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow authenticate
http_access allow ldap_test
http_access deny all

http_access is a ordered list of rules. The first one that matches the request
will be used. Since you have "http_access allow authenticate", where
authenticate is a acl matching all logged in users all your users will be
given access by this rule.

From what I can tell you do not at all want the "http_access allow
authenticate" or the authenticate acl at all.. the user ACL which does the
job in your configuration is ldap_test.

Regards
Henrik

You wrote:
> Hello Henrick,
>
> I followed the instructions given below in this message. While there is no
> error logged by squid_ldap_group; ALL users, irrespective of the group they
> belong to are able to browse.
>
> My LDAP structure is like this
>
> O=Southern Railway
>
> |__ou = S&T,O=Southern Railway
> |
> | |____cn=Dycsteofc,O=Southern Railway
> | |____cn=Dycstemis,O=Southern Railway
> |
> |__groupofnames=browsers,O=Southern Railway # ALLOW members of this group
>
> only
>
> | |___member=cn=dycsteofc,O=Southern Railway
> |
> |__groupofnames=notbrowsers,O=Southern Railway # Deny members of this group
> |
> |___member=cn=dycstemis,O=Southern Railway
>
> I have attached my squid.conf to this message. Where am I going wrong ?
> Please help.
>
> Regards,
> Michael Fuller
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@marasystems.com>
> To: "Jack" <sa_jill@yahoo.co.uk>
> Cc: "Squid Users" <squid-users@squid-cache.org>
> Sent: Thursday, October 24, 2002 9:53 PM
> Subject: Re: [squid-users] Squid_ldap_group
>
> > Sorry, the acl line should obviously read
> >
> > acl ou_testing external ldapou Testing
> >
> > Regards
> > Henrik
> >
> > Jack wrote:
> > > Hello Henrik,
> > >
> > > While i run squid after changing squid configuration according to your
> > > guide i got following error:
> > >
> > > 2002/10/24 19:08:41| squid.conf line 1287: acl ou_testing ldapou
> > > Testing 2002/10/24 19:08:41| aclParseAclLine: Invalid ACL type 'ldapou'
> > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow ldapou
> > > 2002/10/24 19:08:41| aclParseAccessLine: ACL name 'ldapou' not found.
> > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow ldapou
> > > 2002/10/24 19:08:41| aclParseAccessLine: Access line contains no ACL's,
> > > skipping
> > >
> > > I Compiled squid with following configuration option:
> > > ./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl
> > > --enab le-external-acl-helpers="ldap_group"
> > >
> > > How to set acl for ldap_group
> > >
> > > Thanks,
> > > Jack
> > >
> > > > The -f argument to suqid_ldap_group needs to contain special codes
> > > > referring to the login or group names. The correct external_acl_type
> > > > line reads:
> > > >
> > > > external_acl_type ldapou %LOGIN
> > > > /usr/local/squid/libexec/squid_ldap_group -b "dc=xxx,dc=com" -f
> > > > "(&(uid=%v)(ou=%a))" -h localhost
> > > >
> > > > acl ou_testing ldapou Testing
> > > >
> > > > These magic codes is documented in the squid_ldap_group documentation
> > > > shipped with Squid.
> > > >
> > > > Regards
> > > > Henrik Nordström
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Everything you'll ever need on one web page
> > > from News and Sport to Email and Music Charts
> > > http://uk.my.yahoo.com
Received on Mon Oct 28 2002 - 04:42:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST