Hi, I'm using squid-2.5.STABLE5-20040419 and OpenLDAP 2.1.29 an RedHat Professional WS. I want to restrict access to certain MIME-Types on a per-user(Group)-level. The basic idea is to have a group of users that are allowed to access html, images css, javascript only and another group ("admins") that is allowed to access everything. My user accounts are stored in the LDAP directory.
For testing purposes I tried the following setup: ------------------------------------- auth_param basic program /opt/squid/libexec/squid_ldap_auth -b "dc=sk,dc=de" -f "(cn=%s)" -D "cn=Manager,dc=sk,dc=de" -w "****" -h myldaphostname -v 3 auth_param basic children 1 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours [...] acl users proxy_auth REQUIRED external_acl_type ldap_group_helper %LOGIN /opt/squid/libexec/squid_ldap_group -d -D "cn=Manager,dc=sk,dc=de" -w " ****" -v 3 -h myldaphostname -b "dc=sk,dc=de" -B "dc=sk,dc=de" -f " (&(objectclass=groupOfNames)(cn=%a)(member=%v))" -F "(sn=%s)" acl admins external ldap_group_helper admins acl htmltyp rep_mime_type text/html acl giftyp rep_mime_type image/gif acl all src 0.0.0.0/0.0.0.0 [...] http_access allow users http_access deny all http_reply_access allow users htmltyp http_reply_access allow admins http_reply_access deny all -------------------------------------- This should allow access to pure HTML for any authenticated user and additionally allow acces to gif-images for members of the "admins" group. But it does not. Turning on some debugging produced the result that the rule "http_reply_access allow admins" never matches , even if the authenticated user is a member of the admins group. The LDAP stuff itself seems to be correct. I checked that with the following config: http_access allow admins http_access deny all (and leave out the extra http_reply_acess) This works as expected (i.e. members of the admins group are granted access, all others are denied access). It seems like the problem only occurs in conjunction with the http_reply_access. Any ideas? (My current workaround is a script that reads the admins group from the LDAP-directory and writes the members into a file. Told squid to read the "admins" acl from the file instead of the LDAP-directory. That basically works but is not really elegant ) Disclaimer Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der beabsichtigte Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender tele- fonisch oder per E-Mail und löschen Sie diese E-Mail aus Ihrem System. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Wir haften nicht für die Unversehrtheit von E-Mails, nachdem sie unseren Einflussbereich verlassen haben. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately by call or e-mail and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. We are not responsible for the integrity of e-mails after they have left our sphere of control.