Kevin Kimani wrote:
> oops had left out tthe deny part
>
> acl ldapauth proxy_auth REQUIRED
> acl InetAccess external InetGroup Admins
> acl InetDeny external InetGroup Users
>
> http_access deny InetDeny
> http_access deny bannedips
> http_access allow InetAccess
> http_access allow my_network
>
> When i do this, all are blocked from accessing the internet either
> from group Admin or users.
Then I guess your "Admin" users is also a member of "Users" or is using
one of the "bannedips".
If not that then its something else in the config which you are not showing.
Amos
>
> On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Kevin Kimani wrote:
>>> Find below the configurations placed in my config file
>>>
>>> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
>>> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
>>> -h 192.168.111.130
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hour
>>>
>>> external_acl_type InetGroup ttl=300 %LOGIN
>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
>>> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
>>> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130
>>>
>>> acl ldapauth proxy_auth REQUIRED
>>> acl InetAccess external InetGroup Admins
>>>
>>> http_access allow InetAccess
>>> http_access allow my_network
>>>
>>> For authentication of a single user it works since it asks for
>>> authentication but group authentication it aint.
>> There is nothing in that http_access list to prevent access. Everyone who is
>> ether an "Admin" group or "my_network" has full access.
>>
>> You need either:
>> 1) if you want a whole group bocked: an additional "acl InetDenied external
>> InetGroup ..." for the group(s).
>>
>> or
>> 2) if you want individuals blocked: an "acl InetDenied proxy_user ..."
>> listing the usernames.
>>
>> ... along with "http_access deny IdentDenied" to prevent the selected users
>> having web access. Probably right after the admin permit line.
>>
>> Amos
>>
>>> Regards
>>>
>>>
>>> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>> Kevin Kimani wrote:
>>>>> Hi all,
>>>>> Am having a problem trying to authenticate a group that i have set up
>>>>> in my zimbra mail server. the users are stored in an ldap database
>>>>> thus thought that authentication would just be the same as other ldap
>>>>> databases. am able to authenticate users in singular but want to barr
>>>>> some users in a particular group. the command i have is letting
>>>>> everyone access the internet. "external_acl_type InetGroup %LOGIN
>>>>> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
>>>>> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
>>>>> would anyne have an idea how to go about it? am in terrible need for it
>>>>> to
>>>>> work.
>>>>> Regards
>>>> external_acl_type merely runs a lookup helper, you have additional "acl"
>>>> lines specifying how its used and various http_access lines as well
>>>> specifying how the acl lines affect peoples HTTP requests.
>>>> We need to know all those other lines to tell what/why you have this
>>>> problem.
>>>>
>>>> Amos
>>>> --
>>>> Please be using
>>>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
>>>> Current Beta Squid 3.1.0.16
>>>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
>> Current Beta Squid 3.1.0.16
>>
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16Received on Tue Feb 23 2010 - 09:57:57 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 23 2010 - 12:00:06 MST