Hello
Thanks to Amos for this. Upon closer inspection of squid.conf I
discovered a stray http_reply_access directive which I was using
against a rep_mime_type construct, had found its way into an acl that
related to one I was using in the original problem. My mistake.
Using the suggested debug_options ALL,1 28,6 also helped with sorting
out what the problem was.
Thanks again
rolf.
> hello
>
> I cannot seem to get an ACL sequence to work as I expect it to (using
> 2.6stable9).
>
> I have right at the start of the config:
>
> acl authenticated_user proxy_auth REQUIRED
> then
> acl no_auth_unrestricted dstdomain
> "/usr/local/squid/no_authentication_required"
> http_access allow no_auth_unrestricted
>
> the file referenced contains a simple list of domain names.
>
> Further down I have a reference to an Active Directory Group
membership
> test:
>
> acl ge_users external ADdomainGroup
cn=GEUsers,cn=users,dc=example,dc=com
> acl ge_sites "/usr/local/squid/ge_sites"
> http_access allow ge_users ge_sites authenticated_user
>
> The external acl ADdomainGroup is defined as:
>
> external_acl_type ADdomainGroup ttl=900 %LOGIN
> /usr/lib/squid/squid_ldap_group -b "<searchbase>" -f (&(cn=%u)
(memberOf=%g)
> ) -H "ldap://ldaphost1/ ldap://;ldaphost2/" -S -D <bindUsername>
> -w"password"
>
> The checking of group membership against AD has worked perfectly for
> years and has never been an issue.
>
> If I try to go to a site in the "no authentication required" list
at the
> top I simply get a 403 in the logs and the "access control prevents
> access" etc message. Why does it not simply allow the request?
It should be by those details above.
What exact URI is failing and what entry is supposed to match it in the
file no_authentication_required?
> If I then go to a site that requires authentication, not
necessarily the
> "ge_sites", but any other allow that has authenticated_user as part
of
> the conditions, then the 407 is sent, I enter the credentials and
get to
> the site. Then returning to try a site as above that does not require
> auth, the site loads ok and the logs show the browser has sent the
> credentials.
Hmm, something elsewhere down a bit that you are not expecting to have
any connection is causing the authorized allow (second time).
>
> If I remove the acl and http_access for ge_users that talks to AD,
the
> sites requiring no authentication load as expected without need to
send
> credentials.
Same thing as when authorized is allowing them. Still no sign of
no_authentication_required actually working.
>
> How do I arrange the ACLs so that sites that require no
authentication
> get allowed?
I think you got the order right, just not the ACL content you need.
The most common mistake with dstdomain is thinking that "dstdomain
example.com" will match domains like www.example.com.
For that you need to start the partial-domain with a dot
ie. "dstdomain .example.com"
>
> I have tried looking at the output of debug_options ALL,1 33,2 but
have
> not been able to find the problem.
debug_options ALL,1 28,6 will show you the access controls in detail.
Amos
Received on Sun May 18 2008 - 13:41:30 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT