On tis, 2007-11-13 at 10:31 +0100, Angel Mieres wrote:
> Ok. Is there anyway to solve this?, I remove proxy_auth directive and Im
> trying to solve this with:
>
> ...
> external_acl_type ldap_group ttl=0 children=5 %
> LOGIN /usr/local/squid/lib/wbinfo_group.pl
> ...
The %LOGIN there is more or less equivalent to a proxy_auth acl.
Authentication and authorization is two separate things.
authentication is triggered when authorization needs a login name to
verify the users access level. Or in other words when http_access
encounters a username based acl (proxy_auth, proxy_auth_regex, external
acl with %LOGIN)
> When squid detects an username check the AD group and deny or allow
> access. But when I try to access from linux (for example) ask me again
> for an user and a password. When I open the browser an entry in
> access.log show me this(before ask me for enter user & pass):
> 1194944246.564 2 X.X.X.X TCP_DENIED/407 3969 GET
> http://www.google.com/ - NONE/- text/html
Yes. As I said it's the browser who tracks the user session. Squid knows
nothing about it. All Squid knows is that your http_access rules
requires a valid login to proceed so it asks for one. If the user is
logged in the browser then returns the logged in user via NTLM, if not
the browser prompts for a login..
What you can do is to have an acl of stations from where login is not
required. Another alternative is to use ident to automate user
identification from Linux stations.
> Is anyway put on this "nobody" user on an acl and deny the 2nd request?
There is no "nobody" user. Just a "please tell me who you are" question
from the proxy. This takes place in both cases.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST