<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
As you can see (and warning your get shown it) the problem is not in
ACL's.<br>
<br>
But in auth helper or near it:<br>
<br>
ext_ldap_group_acl: WARNING: could not bind to binddn 'Invalid
credentials<br>
<br>
<br>
04.02.2015 18:34, <a class="moz-txt-link-abbreviated" href="mailto:Andreas.Reschke@mahle.com">Andreas.Reschke@mahle.com</a> пишет:<br>
<span style="white-space: pre;">> "squid-users"
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a> schrieb am
04.02.2015 13:13:49:<br>
><br>
> > Von: Leonardo Rodrigues <a class="moz-txt-link-rfc2396E" href="mailto:leolistas@solutti.com.br"><leolistas@solutti.com.br></a><br>
> > An: <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> > Datum: 04.02.2015 13:14<br>
> > Betreff: Re: [squid-users] Order of http_access
allow/deny<br>
> > Gesendet von: "squid-users"
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a><br>
> ><br>
> > On 04/02/15 09:19, <a class="moz-txt-link-abbreviated" href="mailto:Andreas.Reschke@mahle.com">Andreas.Reschke@mahle.com</a> wrote:<br>
> > Hi there,<br>
> > Is there a order of http_access allow/deny? If I
activate<br>
> > "http_access deny !chkglwebhttp" nobody can use the
proxy, squid<br>
> > allways ask for user and password (user and password is
correct)<br>
> ><br>
> > ######<br>
> > acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http<br>
> > acl sellingUser external LDAPLookup
GGPY-LO-Web-Allowed-Selling<br>
> > acl socialUser external LDAPLookup
GGPY-LO-Web-Allowed-Social<br>
> > acl allforbUser external LDAPLookup
GGPY-LO-Web-Allowed-All<br>
> > acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put<br>
> > acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User<br>
> > acl auth proxy_auth REQUIRED<br>
> > acl permitt_ips src 10.143.10.247/32<br>
> > acl FTP proto FTP<br>
> > acl PUT method PUT<br>
> ><br>
> > # whitelisten<br>
> > http_access allow open-sites all<br>
> > http_access allow localhost<br>
> > http_access allow permitt_ips !denied-sites
!social-sites<br>
> > http_access allow indien DAY<br>
> > http_access deny indien<br>
> > #http_access deny !chkglwebhttp<br>
> > http_access allow selling-sites sellingUser<br>
> > http_access allow social-sites socialUser<br>
> ><br>
> > Actually, and i dont know if this a bug or a desired
behavior,<br>
> > denying a group seems to always (at least to me) brings
the<br>
> > authentication popup. To avoid that and make things
really work as<br>
> > expected, i usually add an 'all' to the denying clause.
As the 'all'<br>
> > rule will match anything, it wont change the denying or
not of your<br>
> > rule. And it will make things work. Actually this hint
was found on<br>
> > the mailing list archives.<br>
> ><br>
> > So, instead of<br>
> ><br>
> > http_access deny !chkglwebhttp<br>
> ><br>
> > try using<br>
> ><br>
> > http_access deny !chkglwebhttp all<br>
> ><br>
> > if your 'indien' acl, which is also used on a deny
rule, is also<br>
> > a group rule (that cannot be confirmed on the conf you
posted), just<br>
> > add the all as well. In summary, always add an 'all' to
an<br>
> > http_access rule which envolves denying by any king of
group checking.<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
> > --<br>
> ><br>
> ><br>
> > Atenciosamente / Sincerily,<br>
> > Leonardo Rodrigues<br>
> > Solutti Tecnologia<br>
> > <a class="moz-txt-link-freetext" href="http://www.solutti.com.br">http://www.solutti.com.br</a>
<a class="moz-txt-link-rfc2396E" href="http://www.solutti.com.br/"><http://www.solutti.com.br/></a><br>
> ><br>
> > Minha armadilha de SPAM, NÃO mandem email<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:gertrudes@solutti.com.br">gertrudes@solutti.com.br</a><br>
> > My SPAMTRAP, do not email it<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
> Hi Leonardo,<br>
><br>
> thanks for you answer. I've tested it with "http_access deny
!chkglwebhttp all", so no access is allowed.<br>
> I always get "ext_ldap_group_acl: WARNING: could not bind to
binddn 'Invalid credentials'"<br>
><br>
><br>
><br>
> Mit freundlichen Grüßen / Kind regards<br>
><br>
> Mr. Andreas Reschke<br>
> <a class="moz-txt-link-abbreviated" href="mailto:andreas.reschke@mahle.com">andreas.reschke@mahle.com</a>, <a class="moz-txt-link-freetext" href="http://www.mahle.com">http://www.mahle.com</a>
<a class="moz-txt-link-rfc2396E" href="http://www.mahle.com/"><http://www.mahle.com/></a><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJU0hNtAAoJENNXIZxhPexG3VUIAMV7PVirelNNZ3WaqU4Hy8EW
<br>
rwLkqMRu4tpMxWbqL3I6UaC9kjDVQUTso6zDTs99k+811JYnM36kbpE6ExzQXibg
<br>
/2AMsm9I9wTtqxEIn7JIIrvu/7fsy1AIAW/UfsFavjIhnGfYs+/Gwt6eAnnEfb64
<br>
MTQ/eyf8cZbZJv41UgBhWatYJsAMxkLN0ge069npmu0boe6ZkfZje5m71oCs0PQf
<br>
NqXQ4A10Vlqji5m5//Rlsh8JuaE9lXOSuVS9MTawkttB7J1AKRVj0ehKsnoL7RRn
<br>
JCtMQuACiOiHEaYYyvbaDV5JAXpjbCDU1lD44bDx8zp1cwBNnKwY6vF+B3JEaQc=
<br>
=Zx1q
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>