On Fri, 18 Mar 2005, Rolf wrote:
> Firstly what happens if I put
> http_access allow group1
> before the the proxy auth request?
> Does it break if the credentials are not already available (cached from some
> previous time) to pass to the helper, or what?
No. both proxy_auth acls and external acls using an external_acl_type with
%LOGIN requests authentication if the user is not yet authenticated. Any
kind of acl looking at the login name will trigger authentication if the
user is not already authenticated.
> Secondly, what is the behaviour with multiple acls that refer to different
> groups? for eg
>
> acl group1 external ... blah blah group reference
> acl group2 external ...blah blah another group reference
> acl group3 external ...blah yet another group
It works.
But the syntax is
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group options_for_dn etc...
acl group1 external ldap_group group name(s)
> http_access allow authenticated_user group1
> http_access allow authenticated_user group2
> http_access allow authenticated_user group3
This works, but as mentioned above the authenticated_user acl is
redundant. In addition these can all be joined as a single acl matching
all three groups if you prefer.
acl full_access_groups external ldap_group GroupName1 GroupName2 GroupName3
http_access allow full_access_groups
> Does that force the proxy auth request to be resent each time?
Authentication requests is sent automatically by Squid when needed when
you use a acls requiring authentication.
Regards
Henrik
Received on Fri Mar 18 2005 - 01:59:20 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST