[squid-users] Squid and AD Group (ext_ldap_group_acl)

Olivier CALVANO o.calvano at gmail.com
Mon Feb 8 10:06:30 UTC 2016 

Hi Amos,

Thanks for your help,

buit if i don't put the line http_access deny !Group_Allowed, user not in
the group connect connect
and access to all internet

my config:



######################################################################
# ACL pour les Droits d'accès d'apres l'Active Directory
######################################################################
acl Authentification proxy_auth REQUIRED
http_access deny !Authentification
acl Group_Allowed external AD_Group Internet-Access
http_access allow Group_Allowed
#http_access deny !Group_Allowed
######################################################################

#always_direct deny Authentification
http_access allow Lan
http_access deny all






i see that i have a

http_access allow Lan

it's not this the problems ?



2016-02-07 11:44 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 7/02/2016 9:39 p.m., Olivier CALVANO wrote:
> > Hi
> >
> > i have a problems with AD Group, i use this config:
> >
> >
> > external_acl_type AD_Group children-startup=5 children-max=100
> > concurrency=80 ttl=1800 negative_ttl=900 %LOGIN
> > /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D
> > cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f
> > (&(objectclass=person)
> > (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h
> > 192.168.10.1
> >
> >
> > acl Group_Allowed external AD_Group Internet-Access
> > http_access allow Group_Allowed
> > http_access deny !Group_Allowed
> >
> >
> > When i want use the proxy, squid request all time the Login/pass
>
> To check group membership, Squid must first know what user login
> credentialsare being checked.
>
>
> >
> > if i change config:
> >
> > http_access allow Group_Allowed
> > http_access deny !Group_Allowed
>
> As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it
> is used on any line and login is not yet provided, or do 407
> re-authentication whenever it is last ACL named on a deny line. In order
> to give the user the chance to provide credentials that will pass the test.
>
> In this particular config setup use "deny all" instead of "deny
> !Group_Allowed".
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160208/e6f7adce/attachment.html>

More information about the squid-users mailing list