[squid-users] Squid and AD Group (ext_ldap_group_acl)
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 8 14:29:23 UTC 2016
On 8/02/2016 11:06 p.m., Olivier CALVANO wrote:
> Hi Amos,
>
> Thanks for your help,
>
> buit if i don't put the line http_access deny !Group_Allowed, user not in
> the group connect connect
> and access to all internet
>
> my config:
>
>
>
> ######################################################################
> # ACL pour les Droits d'accès d'apres l'Active Directory
> ######################################################################
> acl Authentification proxy_auth REQUIRED
> http_access deny !Authentification
> acl Group_Allowed external AD_Group Internet-Access
> http_access allow Group_Allowed
> #http_access deny !Group_Allowed
> ######################################################################
>
> #always_direct deny Authentification
> http_access allow Lan
> http_access deny all
>
>
>
>
>
>
> i see that i have a
>
> http_access allow Lan
>
> it's not this the problems ?
>
You did not do what I said to do ...
2016-02-07 11:44 GMT+01:00 Amos Jeffries:
>
> In this particular config setup use "deny all" instead of "deny
> !Group_Allowed".
I did not mention or ask about any other rules in your config because
those two rules that you posted, no matter where you put them, will
always be the last two rules Squid checks.
They allow X and deny !X
Once you match both X and not-X things. What is left? nothing. Nada.
Therefore; No traffic will ever possibly get past both those rules to
anything that follows.
So yes, the "allow Lan" is part of the reason why your change is not
working. BUT only because your change made it part of the problem when
it was not previously relevant.
Amos
More information about the squid-users
mailing list