Henrik Nordstrom wrote:
>> After that we have someone who IS in the LDAP group, is in the SURFING
>> IP range and is access a site that is also not in allowedsites. The
>> connection is denied and the username is not logged.
>
>
> Here the browser did not agree on logging in to the proxy and hence the
> request is denied as you require authentication (even if faked
> verification).
This could be a problem. So any program that chooses not to
authenticate, or for some reason cannot authenticate (for example, it's
not built-in) will be denied access?
If we reversed the rules like this:
http_access allow SURFING
http_access allow allowedsites mynetwork
http_access allow AuthGroup mynetwork
http_access deny all
that would force authentication for non-SURFING && non-allowedsites
requests, right? I'm just thinking of server programs that download
stuff but don't authenticate (in which case we would put them in the
SURFING acl).
Regards,
Oliver
Received on Thu Feb 10 2005 - 15:14:59 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST