Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups.
However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ...... auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup &LOGIN ...... acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied http_access allow accessallowed http_access deny all
