AW: AW: [squid-users] Authentication problem
Image #1 appears to be a login box of some kind. Where is it coming from; the browser software or a web page? >>> Browser Image #2 appears to be an HTTP login which the browser is refusing to display popup box for. Why is the browser not finding credentials somewhere or showing a popup? >>> The popup shown in picture one doesn't appear. For some reason, some >>> credentials are automatically used (maybe SSO) or some configuration block >>> this login popup. -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Mittwoch, 9. Mai 2012 03:53 An: squid-users@squid-cache.org Betreff: Re: AW: [squid-users] Authentication problem On 09.05.2012 01:44, Fuhrmann, Marcel wrote: > Hi Markus, > > sorry, but it doesn't work. :-( > > - Added this line in squid.conf > - server squid3 reload > - deleted IE cache restarted IE and open the website -> same error. > Err, yeah. Leaving the headers alone only works if one was already playing with erasing them in the first place. If someone else was erasing them in transit you need to kick them about the problems. > Any other ideas? Finding out what the problem actually is would be a better start. Image #1 appears to be a login box of some kind. Where is it coming from; the browser software or a web page? Image #2 appears to be an HTTP login which the browser is refusing to display popup box for. Why is the browser not finding credentials somewhere or showing a popup? Amos > > -Ursprüngliche Nachricht- > Von: Markus Lauterbach > > Hi Marcel, > > You have to add a small piece in your config. I think, it should lool > somehow like this: > > header_access Authorization allow all > > And restart your squid. > > Markus > >> -Ursprüngliche Nachricht- >> Von: Fuhrmann, Marcel >> >> Hello, >> >> i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a >> website. >> Normally (without proxy) I am getting this windows to login: >> http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu >> >> With proxy I get this error (german; but understandable): >> http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um >> >> Can somebody give me advice? >> >> >> Thanks a lot! >> >> -- >> Marcel
Re: AW: [squid-users] Authentication problem
On 09.05.2012 01:44, Fuhrmann, Marcel wrote: Hi Markus, sorry, but it doesn't work. :-( - Added this line in squid.conf - server squid3 reload - deleted IE cache restarted IE and open the website -> same error. Err, yeah. Leaving the headers alone only works if one was already playing with erasing them in the first place. If someone else was erasing them in transit you need to kick them about the problems. Any other ideas? Finding out what the problem actually is would be a better start. Image #1 appears to be a login box of some kind. Where is it coming from; the browser software or a web page? Image #2 appears to be an HTTP login which the browser is refusing to display popup box for. Why is the browser not finding credentials somewhere or showing a popup? Amos -Ursprüngliche Nachricht- Von: Markus Lauterbach Hi Marcel, You have to add a small piece in your config. I think, it should lool somehow like this: header_access Authorization allow all And restart your squid. Markus -Ursprüngliche Nachricht- Von: Fuhrmann, Marcel Hello, i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website. Normally (without proxy) I am getting this windows to login: http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu With proxy I get this error (german; but understandable): http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um Can somebody give me advice? Thanks a lot! -- Marcel
AW: [squid-users] Authentication problem
Hi Markus, sorry, but it doesn't work. :-( - Added this line in squid.conf - server squid3 reload - deleted IE cache restarted IE and open the website -> same error. Any other ideas? -- Marcel -Ursprüngliche Nachricht- Von: Markus Lauterbach [mailto:markus.lauterb...@meinestadt.de] Gesendet: Dienstag, 8. Mai 2012 15:32 An: squid-users@squid-cache.org Betreff: RE: [squid-users] Authentication problem Hi Marcel, You have to add a small piece in your config. I think, it should lool somehow like this: header_access Authorization allow all And restart your squid. Markus > -Ursprüngliche Nachricht- > Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag] > Gesendet: Dienstag, 8. Mai 2012 15:04 > An: squid-users@squid-cache.org > Betreff: [squid-users] Authentication problem > > Hello, > > i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website. > Normally (without proxy) I am getting this windows to login: > http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu > > With proxy I get this error (german; but understandable): > http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um > > Can somebody give me advice? > > > Thanks a lot! > > -- > Marcel
Re: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
On Fri, 14 Jan 2005, Joachim JS. Schuster wrote: I compiled squid version 2.5STABLE6 with ./configure --prefix=/usr/local/squid --enable-external-acl-helpers and it works. When i use the same command with squid2.5 STABLE7 it don`t works. Do you have a idea why not ? Please post command line tests of both versions of squid_ldap_group. Regards Henrik
AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
Hello Yong, I compiled squid version 2.5STABLE6 with ./configure --prefix=/usr/local/squid --enable-external-acl-helpers and it works. When i use the same command with squid2.5 STABLE7 it don`t works. Do you have a idea why not ? Regard Joachim -Ursprüngliche Nachricht- Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 14. Januar 2005 01:23 An: Joachim JS. Schuster Betreff: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group Hi Joachim, I don't think its compiling problem. You can just compile with ./configure Ever think of trying out with rpm ? Regards Yong Hi Yong, I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent. Or is this a compiling problem. I compile with ./configure --prefix=/usr/local/squid . Is this correct ? Regard Joachim
Re: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
On Thu, 13 Jan 2005, Joachim JS. Schuster wrote: I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent. There is two related patches in the 2.5.STABLE7 release: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-basic_auth_caseinsensitive http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ldap_helpers The first is quite self explanatory.. The second changes some of the code in both squid_ldap_auth and squid_ldap_group mainly to work better with different LDAP servers having restrictions on how one may login to their directory services... If you can detail what problem you are seeing, and what exact auth_param and external_acl_type parameters you are using then maybe your problem can be better understood. Regards Henrik
AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
Hi Yong, I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent. Or is this a compiling problem. I compile with ./configure --prefix=/usr/local/squid . Is this correct ? Regard Joachim -Ursprüngliche Nachricht- Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. Januar 2005 08:00 An: Joachim JS. Schuster Betreff: Re: AW: AW: [squid-users] authentication problem with squid_ldap_group Hi Joachim, I am using squid-2.5.STABLE5-2, comes with FC2. Actually for your case, is it when you do it from command prompt, its ok but from browser it cannot pass through? I had a case before when I got OK from terminal but on browser it cannot go through. It just kept reprompting for username and password from the browser. Then I changed the %u -> %v and %g -> %a and worked. regards Yong Joachim JS. Schuster wrote: >Hi Yong, >What squid version do you use ? > >regards > >Joachim > > >-Ursprüngliche Nachricht- >Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] >Gesendet: Donnerstag, 13. Januar 2005 01:27 >An: Joachim JS. Schuster >Betreff: Re: AW: [squid-users] authentication problem with squid_ldap_group > > >Hi Joachim, > > This is my acl which works. Maybe you can copy exactly mine, >especially the order of the http_access part. And see if it works. > >acl all src 0.0.0.0/0.0.0.0 >acl manager proto cache_object >acl localhost src 127.0.0.1/255.255.255.255 >acl to_localhost dst 127.0.0.0/8 >acl SSL_ports port 443 563 >acl Safe_ports port 80 # http >acl Safe_ports port 21 # ftp >acl Safe_ports port 443 563 # https, snews >acl Safe_ports port 70 # gopher >acl Safe_ports port 210 # wais >acl Safe_ports port 1025-65535 # unregistered ports >acl Safe_ports port 280 # http-mgmt >acl Safe_ports port 488 # gss-http >acl Safe_ports port 591 # filemaker >acl Safe_ports port 777 # multiling http >acl CONNECT method CONNECT >acl ldap_group-admin external ldap_group admin > > > >http_access allow manager localhost >http_access allow manager >http_access allow ldap_group-admin >http_access deny !Safe_ports >http_access deny CONNECT !SSL_ports >http_access allow localhost >http_access deny all > >Regards >Yong > > >Joachim JS. Schuster wrote: > > > >>Hi, >>Please have a look on the lines below: >> >> >>acl all src 0.0.0.0/0.0.0.0 >>acl manager proto cache_object >>acl localhost src 127.0.0.1/255.255.255.255 >>acl to_localhost dst 127.0.0.0/8 >>acl SSL_ports port 443 563 >>acl Safe_ports port 80 >>acl Safe_ports port 21 >>acl Safe_ports port 443 563 >>acl Safe_ports port 70 >>acl Safe_ports port 210 >>acl Safe_ports port 1025-65535 >>acl Safe_ports port 280 >>acl Safe_ports port 488 >>acl Safe_ports port 591 >>acl Safe_ports port 777 >>acl CONNECT method CONNECT >>acl ldapproxygroup external ldapgroup webaccess >> >>http_access allow manager localhost >>http_access deny manager >>http_access deny !Safe_ports >>http_access deny CONNECT !SSL_ports >>http_access allow ldapproxygroup >>http_access deny all >> >>Regards >> >>Joachim >> >> >>-Ursprüngliche Nachricht- >>Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] >>Gesendet: Mittwoch, 12. Januar 2005 02:29 >>An: Joachim JS. Schuster >>Betreff: Re: [squid-users] authentication problem with >>squid_ldap_group >> >> >>Hi Joachim, >> >> Can you post your acl list and http_access? >>Maybe we can spot some mistakes from your acl and http_access. >> >> >> >>Joachim JS. Schuster wrote: >> >> >> >> >> >>>Dear squid users, >>>I need help about my authentifaction problem with squid_ldap_group. >>> >>>first i create a entry for squid_ldap_auth. i can login and i have >>>web access and it works fine. >>> >>>auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b >>>"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 >>>-f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl >>>USERS proxy_auth REQUIRED >>> >>>http_access allow USERS >>> >>>in the next step i create this lines for my ldap group access. >>> >>>external_acl_type ldapgroup concurrency=15 %LOGIN >>>/usr/sbin/squid_ldap_group -P -R -b "ou=i
AW: AW: [squid-users] authentication problem with squid_ldap_group
Hi Yong, What squid version do you use ? regards Joachim -Ursprüngliche Nachricht- Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. Januar 2005 01:27 An: Joachim JS. Schuster Betreff: Re: AW: [squid-users] authentication problem with squid_ldap_group Hi Joachim, This is my acl which works. Maybe you can copy exactly mine, especially the order of the http_access part. And see if it works. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ldap_group-admin external ldap_group admin http_access allow manager localhost http_access allow manager http_access allow ldap_group-admin http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all Regards Yong Joachim JS. Schuster wrote: >Hi, >Please have a look on the lines below: > > >acl all src 0.0.0.0/0.0.0.0 >acl manager proto cache_object >acl localhost src 127.0.0.1/255.255.255.255 >acl to_localhost dst 127.0.0.0/8 >acl SSL_ports port 443 563 >acl Safe_ports port 80 >acl Safe_ports port 21 >acl Safe_ports port 443 563 >acl Safe_ports port 70 >acl Safe_ports port 210 >acl Safe_ports port 1025-65535 >acl Safe_ports port 280 >acl Safe_ports port 488 >acl Safe_ports port 591 >acl Safe_ports port 777 >acl CONNECT method CONNECT >acl ldapproxygroup external ldapgroup webaccess > >http_access allow manager localhost >http_access deny manager >http_access deny !Safe_ports >http_access deny CONNECT !SSL_ports >http_access allow ldapproxygroup >http_access deny all > >Regards > >Joachim > > >-Ursprüngliche Nachricht- >Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] >Gesendet: Mittwoch, 12. Januar 2005 02:29 >An: Joachim JS. Schuster >Betreff: Re: [squid-users] authentication problem with squid_ldap_group > > >Hi Joachim, > > Can you post your acl list and http_access? >Maybe we can spot some mistakes from your acl and http_access. > > > >Joachim JS. Schuster wrote: > > > >>Dear squid users, >>I need help about my authentifaction problem with squid_ldap_group. >> >>first i create a entry for squid_ldap_auth. i can login and i have web >>access and it works fine. >> >>auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b >>"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -f >>"(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl USERS >>proxy_auth REQUIRED >> >>http_access allow USERS >> >>in the next step i create this lines for my ldap group access. >> >>external_acl_type ldapgroup concurrency=15 %LOGIN >>/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f >>"(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" >>-D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 >> >>acl ldapproxygroup external ldapgroup webaccess >> >>http_access allow ldapproxygroup >> >>i can login but i have no webaccess. i see the 407 error access denied >>in squid conf. >> >>when i execute >> >>heins:~ # /usr/sbin/squid_ldap_group -P -R -b >>"ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F >>"(&(sAMAccountName=%s)(objectClass=Person))" -D >>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm >>webaccess OK >> >>i get ok but the user cwm can´t use the proxy. >> >>Thank you for all the help. >> >>Best Regards >> >>Joachim >> >> >> >> >> >> > > > > >
Re: AW: [squid-users] authentication problem with squid_ldap_group
On Wed, 12 Jan 2005, Joachim JS. Schuster wrote: Hallo Henrik, I can`t find the discription for -d and for the -S flag in the documentation. Can you tell me how i must use it ? From the squid_ldap_group man page: -S Strip NT domain name component from user names (/ or \ separated) -d Debug mode where each step taken will get reported in detail. Useful for understanding what goes wrong if the results is not what is expected. Based on the access.log output you shown -S is not your problem. Regards Henrik
AW: [squid-users] authentication problem with squid_ldap_group
Hallo Henrik, I can`t find the discription for -d and for the -S flag in the documentation. Can you tell me how i must use it ? Regards Joachim -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 12. Januar 2005 16:11 An: Oliver Hookins Cc: squid-users@squid-cache.org; Joachim JS. Schuster Betreff: Re: [squid-users] authentication problem with squid_ldap_group On Wed, 12 Jan 2005, Oliver Hookins wrote: > The only thing I could suggest is trying the -S parameter anyway. I > don't > know any really good ways to find out what is happening, unless you can write > a test-program to replace squid_ldap_group that logs what options and input > were passed to it. It either works or it doesn't! The -d flag to squid_ldap_group makes it more verbose about it's operations. Regards Henrik
Re: AW: [squid-users] authentication problem with squid_ldap_group
Joachim JS. Schuster wrote: -Ursprüngliche Nachricht- Von: Oliver Hookins [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 12. Januar 2005 01:07 An: squid-users@squid-cache.org Cc: Joachim JS. Schuster Betreff: Re: [squid-users] authentication problem with squid_ldap_group Joachim JS. Schuster wrote: Joachim JS. Schuster wrote: Dear squid users, I need help about my authentifaction problem with squid_ldap_group. first i create a entry for squid_ldap_auth. i can login and i have web access and it works fine. auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b "dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl USERS proxy_auth REQUIRED http_access allow USERS in the next step i create this lines for my ldap group access. external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 acl ldapproxygroup external ldapgroup webaccess http_access allow ldapproxygroup i can login but i have no webaccess. i see the 407 error access denied in squid conf. when i execute heins:~ # /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm webaccess OK i get ok but the user cwm can´t use the proxy. Can you quote some of the logs that shows the problem? Is the username in the logs exactly as you are typing it on the command line? What I am getting at is that it might have the domain name attached to the username in which case you need the -S option for squid_ldap_group. Regards, Oliver Sorry im am new in this list. On wich way i must contact you ? By your mail adresse or over a squid-users@squid-cache.org ? The access.log entries: 1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html 1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok. /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 Regards Joachim Sorry, my mail program doesn't automatically reply to the list - yes you should reply to the list unless you want to converse directly with one of the members. The only thing I could suggest is trying the -S parameter anyway. I don't know any really good ways to find out what is happening, unless you can write a test-program to replace squid_ldap_group that logs what options and input were passed to it. It either works or it doesn't! Regards, Oliver Do you mean the -S (Strip NT domain from usernames)parameter ? Regards Joachim Yes. Oliver