[squid-users] Squid and AD Group (ext_ldap_group_acl)
Amos Jeffries
squid3 at treenet.co.nz
Sun Feb 7 10:44:38 UTC 2016
On 7/02/2016 9:39 p.m., Olivier CALVANO wrote:
> Hi
>
> i have a problems with AD Group, i use this config:
>
>
> external_acl_type AD_Group children-startup=5 children-max=100
> concurrency=80 ttl=1800 negative_ttl=900 %LOGIN
> /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D
> cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f
> (&(objectclass=person)
> (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h
> 192.168.10.1
>
>
> acl Group_Allowed external AD_Group Internet-Access
> http_access allow Group_Allowed
> http_access deny !Group_Allowed
>
>
> When i want use the proxy, squid request all time the Login/pass
To check group membership, Squid must first know what user login
credentialsare being checked.
>
> if i change config:
>
> http_access allow Group_Allowed
> http_access deny !Group_Allowed
As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it
is used on any line and login is not yet provided, or do 407
re-authentication whenever it is last ACL named on a deny line. In order
to give the user the chance to provide credentials that will pass the test.
In this particular config setup use "deny all" instead of "deny
!Group_Allowed".
Amos
More information about the squid-users
mailing list