Re: [squid-users] External_acl_type Problem

From: Kalil Costa - Brasilsite <kalil_at_brasilsite.com.br>
Date: Fri, 21 Jan 2011 13:11:25 -0200

OK.

But when I put the external acl and "acl dpto external nt_group finance"
with http_access before acl AuthorizedUsers, show me a screen asking for
User and password doesn't seek direct AD.

The acl AuthorizedUsers as proxy_auth REQUIRED to ask for authentication
every time someone is browsing. I found that the external acl should
stay after it.

So....didn't work. Any idea....

thks

---kalz---

Em 21-01-2011 12:07, Amos Jeffries escreveu:
> On 22/01/11 01:38, Kalil Costa - Brasilsite wrote:
>> Hi all,
>>
>>
>> I have a problem with not working external_acl_type
>>
>> Integrated the AD 2003 using squid with ntlm, samba, winbind, works
>> fine.
>> Logs in access.log ok, user navigates normal, but when i configure
>> squid.conf using external_acl_type nothings happens.
>>
>
> Your problems in not related to external_acl_type.
>
> The order of your directives does not match what you are wanting to
> happen.
>
>>
>> My settings squid.conf
>>
>> -----
>>
>> http_port 3128
>>
>> cache_mem 12 MB
>> maximum_object_size_in_memory 64 KB
>> maximum_object_size 512 MB
>> minimum_object_size 0 KB
>> cache_swap_low 90
>> cache_swap_high 95
>> cache_dir ufs /var/spool/squid 2048 16 256
>> cache_access_log /var/log/squid/access.log
>> refresh_pattern ^ftp: 15 20% 2280
>> refresh_pattern ^gopher: 15 0% 2280
>
> Add:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
>
>> refresh_pattern . 15 20% 2280
>>
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>
> If you have a Squid newer than 2.6 remove the above three lines.
>
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 30
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>>
>> #debug_options ALL,1 82,9 84,9
>>
>> #acl all src 0.0.0.0/24
>>
>>
>> acl AuthorizedUsers proxy_auth REQUIRED
>> http_access allow AuthorizedUsers
>
> At this point anyone who can login is allowed immediately.
>
>>
>> external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl
>>
>> acl dpto external nt_group finance
>> http_access deny dpto
>>
>
> This group restriction needs to be above "allow AuthorizedUsers" to work.
>
> When two criteria overlap, the most specific needs to be tested first.
> In this case the details user+password+group is more specific than
> just user+password.
>
>
> Amos
Received on Fri Jan 21 2011 - 15:13:06 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 21 2011 - 12:00:07 MST