On Monday 04 August 2003 08.19, Vladimir Yakovlev wrote:
> I have a windows based net and 99% of users
> authenticate using ntlm auth method of squid (squid 2.5STABLE3,
> samba 2.2.8a), but 1% are not domain members and can't
> authenticate. Previosly i used ip addresses for acls and
> everything worked fine, but with ntlm auth i found out that
> even acls like acl user src ip.add.res.s/32 and http_access allow
> user don't work: user receives a window asking him to provide his
> credits.
It does work fine. The key to this is to order and filter the
http_access rules correctly.
Squid does not make any difference between the different
authentication schemes, it always asks for authentication when
reaching the first authentication related acl in http_access, not
before, not after. http_access rules are read top-down left-right,
stopping at the first rule which fully matches the request. A
http_access line is skipped as soon as any of the listed acl elements
evaluate to false (the remaining acl elements of the same http_access
line is not looked at).
Can be illustrated as
http_access allow/deny acl1 AND acl2 AND acl3 ....
OR
http_access allow/deny acl4 AND acl5 AND acl6 ...
OR
...
(AND/OR is not part of the squid.conf syntax, just illustrating the
logics).
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Mon Aug 04 2003 - 02:00:29 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:34 MST