Re: [squid-users] Squid ldap group authentication with Zimbra LDAP

Tue, 23 Feb 2010 01:38:31 -0800 

Kevin Kimani wrote:

Find below the configurations placed in my config file

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b
dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))"
-h 192.168.111.130
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour

external_acl_type InetGroup ttl=300 %LOGIN
/usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B
"uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f
"(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130

acl ldapauth proxy_auth REQUIRED
acl InetAccess external InetGroup Admins

http_access allow InetAccess
http_access allow my_network

For authentication of a single user it works since it asks for
authentication but group authentication it aint.
There is nothing in that http_access list to prevent access. Everyone who is ether an "Admin" group or "my_network" has full access. 

You need either:
1) if you want a whole group bocked: an additional "acl InetDenied external InetGroup ..." for the group(s). 

or
2) if you want individuals blocked: an "acl InetDenied proxy_user ..." listing the usernames.
... along with "http_access deny IdentDenied" to prevent the selected users having web access. Probably right after the admin permit line. 

Amos



Regards


On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries <squ...@treenet.co.nz> wrote:

Kevin Kimani wrote:

Hi all,
Am having a problem trying to authenticate a group that i have set up
in my zimbra mail server. the users are stored in an ldap database
thus thought that authentication would just be the same as other ldap
databases. am able to authenticate users in singular but want to barr
some users in a particular group. the command i have is letting
everyone access the internet. "external_acl_type InetGroup %LOGIN
/usr/lib/squid/squid_ldap_group -v 3 -b dc=xxxxxx,dc=co,dc=ke -f
"(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx"
would anyne have an idea how to go about it? am in terrible need for it to
work.
Regards

external_acl_type merely runs a lookup helper, you have additional "acl"
lines specifying how its used and various http_access lines as well
specifying how the acl lines affect peoples HTTP requests.
 We need to know all those other lines to tell what/why you have this
problem.

Amos
--
Please be using
 Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
 Current Beta Squid 3.1.0.16




--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16

Reply via email to