Re: [squid-users] proxy_auth and external helpers behaviour with http_access

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 18 Mar 2005 09:59:13 +0100 (CET)

On Fri, 18 Mar 2005, Rolf wrote:

> Firstly what happens if I put
> http_access allow group1
> before the the proxy auth request?
> Does it break if the credentials are not already available (cached from some
> previous time) to pass to the helper, or what?

No. both proxy_auth acls and external acls using an external_acl_type with
%LOGIN requests authentication if the user is not yet authenticated. Any
kind of acl looking at the login name will trigger authentication if the
user is not already authenticated.

> Secondly, what is the behaviour with multiple acls that refer to different
> groups? for eg
>
> acl group1 external ... blah blah group reference
> acl group2 external ...blah blah another group reference
> acl group3 external ...blah yet another group

It works.

But the syntax is

external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group options_for_dn etc...

acl group1 external ldap_group group name(s)

> http_access allow authenticated_user group1
> http_access allow authenticated_user group2
> http_access allow authenticated_user group3

This works, but as mentioned above the authenticated_user acl is
redundant. In addition these can all be joined as a single acl matching
all three groups if you prefer.

acl full_access_groups external ldap_group GroupName1 GroupName2 GroupName3
http_access allow full_access_groups

> Does that force the proxy auth request to be resent each time?

Authentication requests is sent automatically by Squid when needed when
you use a acls requiring authentication.

Regards
Henrik
Received on Fri Mar 18 2005 - 01:59:20 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST