On Friday 04 July 2003 17.15, Diego Rivera wrote: > On Fri, 2003-07-04 at 04:24, Henrik Nordstrom wrote: > > Not only. The proxy_auth and proxy_auth_reges acl types also > > supports a kind of groups, but not external such. > > I understand how proxy_auth_regex could be able to do this, but I > don't see an example of it. Could you provide me with a short one > to give me a clear idea of what you mean here?
Some examples: acl proxy_auth group1 "/path/to/file/listing/users/in/group1" acl proxy_auth group2 "/path/to/file/listing/users/in/group2" acl proxy_auth_regex domain1 @example\.com$ acl proxy_auth_regex domain2 @example\.org$ Or to detail: The proxy_auth and proxy_auth_regex matches against the users authenticated user name. Both define a list of possible matches. The proxy_auth type also defines the magic login name match REQUIRED which matches any user name to simplify the case of all users. Neither of these acl types is responsible for performing the actual authentication. Authentication occurs as a sideeffect from these acl types requiring a valid user name. Because Squid requires authentication to be able to process a proxy_auth acl type authentication will be required as soon as it encounters such acl in http_access. > If the external_acl_type definition gives the helper arguments (or, > rather, an argument set format), would the 'acl external' clause > then offer additional arguments, or just the arguments to fill > those expected by external_acl_type? Additional arguments. external_acl_type sets what information from the requests should be sent to the helper, plus any command line arguments which need to be sent to the helper. the acl clause adds to this additional information related to the specific acl, for example group names etc. > Is all this documented extensively outside the conf file? Where > might I find examples of this? Some info can be found on http://devel.squid-cache.org/external_acl/, but most of this is in squid.conf.default already. There is also documentation included in each helper shipped with Squid on how to configure Squid to use that helper. Most use a combination of external_acl_type to define the helper and acl external to define acls making use of the logics provided by the helper. The typical example of external acls is group helpers. In such case external_acl_type defines the specific group helper much like auth_param defines a authentication helper, and acl external defines lists of groups to match, typically something like this example for LDAP groups external_acl_type LDAP_group %LOGIN /path/to/ldap_group [cmdline args] acl group_Marketing external LDAP_group Marketing In which case the helper will be asked if the user belongs to the group Marketing when Squid encounters the acl group_Marketing in http_access processing. Regards Henrik
