Re: [squid-users] Problem with transparent authentication and restricted pages

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 31 Jan 2011 23:40:34 +0000

On Mon, 31 Jan 2011 17:35:02 +0000, "Gonzalo Morera" <gmorera_at_novell.com>
wrote:
> Thanks Chad
>
> I'll follow this instructions
>
>
>
> Gonzalo
>
>
>>>> "Chad Naugle" <Chad.Naugle_at_travimp.com> 31-01-2011 >>>
> You need to move all of your "deny" lines *before* your "allow" lines,
> otherwise you will get the popup.
>
> FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a
> C-based program for that, which is bundled with Squid 3.2-BETA, instead
> of using a perl script. You can probably just build 3.2.X without
> installing it and copy the executable to /usr/sbin, and use that for the
> blind auth.
>
>>>> "Gonzalo Morera" <gmorera_at_novell.com> 1/31/2011 11:16 AM >>>
> Hi all
>
> After solving the squid_ldap_group issue, i'm still facing a little one
> with users that are transparently authenticate thru a pl script against
> edirectory.
>
> I've got this line:
>
> external_acl_type IPUser ttl=7200 %SRC
> /etc/squid/squid_edir_iplookup.pl
> (IPUser method)
>
> squid_edir_iplookup.pl is for users that have the novell client
> installed. Thru this script, they network address is found and
> authenticate without being prompted. This works fine as long as they do
> not hit a forbidden page.
> And here is my problem. When they hit a forbidden page, instead to get
> the 403 forbidden, they prompt for authentication. If then enter a
> username/password (they share passwords :-( ) with rights, they can go
> to the page.
> So my goal is that when this users are hitting a forbidden page, the
> forbidden page comes and not the auth page.
>
> I can not find out how to do so or if the order of the rules are wrong
>
> Here is my squid.conf. Let me know if anything else is needed:
>
> ===snip====
>
<snip>
>
> # Seemless automatic access based on IP address
> # Access through the "IP User" external helper
> acl Full_Access external IPUser internet_nr
> acl Restricted_Access external IPUser internet_r
>
> # Access to users prompted with username/password dialogue
> # Full access
> acl lab_Full external ldap_group internet_nr
>
> # Restricted access
> acl lab_Restricted external ldap_group internet_r
>
<snip>

You have presented the settings for IPUser ACL but have omitted the ones
for ldap_group ACL. I suspect you have cut-n-pasted one of the common
examples for group lookup which rely on full client credentials
authentication.

Note that external ACL does not produce full-blown authentication
credentials (yet). So they are not used for %LOGIN group checking. You need
to use %EXT_USER instead and you do not have access to the external ACL
password.

Check this, but I expect you may find that the way you have defined the
IPUser ACL lines the helper gets passed "<src-IP> <group-name>" so you can
do the full check in one step in the handler script with a single
allow/block result.

Amos
Received on Mon Jan 31 2011 - 23:40:38 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST