hum in logs:
ext_ldap_group_acl.cc(587): pid=12990 :Connected OK ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=ocalvano,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' ext_ldap_group_acl.cc(587): pid=12990 :Connected OK ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Guest,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' ext_ldap_group_acl.cc(726): pid=12990 :group filter '(&(objectclass=person)(sAMAccountName=0)(memberof=CN=Internet-Access,OU=Admin,OU=vpn,DC=mydomain,DC=fr))', searchbase 'DC=mydomain,DC=fr' user ocalvano is in group Internet-Access but not Guest, and the log says "Ok" (or it's only ldap connection ?) 2016-02-08 11:06 GMT+01:00 Olivier CALVANO <o.calv...@gmail.com>: > Hi Amos, > > Thanks for your help, > > buit if i don't put the line http_access deny !Group_Allowed, user not in > the group connect connect > and access to all internet > > my config: > > > > ###################################################################### > # ACL pour les Droits d'accès d'apres l'Active Directory > ###################################################################### > acl Authentification proxy_auth REQUIRED > http_access deny !Authentification > acl Group_Allowed external AD_Group Internet-Access > http_access allow Group_Allowed > #http_access deny !Group_Allowed > ###################################################################### > > #always_direct deny Authentification > http_access allow Lan > http_access deny all > > > > > > > i see that i have a > > http_access allow Lan > > it's not this the problems ? > > > > 2016-02-07 11:44 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>: > >> On 7/02/2016 9:39 p.m., Olivier CALVANO wrote: >> > Hi >> > >> > i have a problems with AD Group, i use this config: >> > >> > >> > external_acl_type AD_Group children-startup=5 children-max=100 >> > concurrency=80 ttl=1800 negative_ttl=900 %LOGIN >> > /usr/lib64/squid/ext_ldap_group_acl -d -S -K -R -b DC=mydomain,DC=fr -D >> > cn=UserAdmin,ou=vpn,dc=mydomain,dc=fr -w "Pa77word" -f >> > (&(objectclass=person) >> > (sAMAccountName=%v)(memberof=CN=%g,OU=Admin,DC=mydomain,DC=fr)) -h >> > 192.168.10.1 >> > >> > >> > acl Group_Allowed external AD_Group Internet-Access >> > http_access allow Group_Allowed >> > http_access deny !Group_Allowed >> > >> > >> > When i want use the proxy, squid request all time the Login/pass >> >> To check group membership, Squid must first know what user login >> credentialsare being checked. >> >> >> > >> > if i change config: >> > >> > http_access allow Group_Allowed >> > http_access deny !Group_Allowed >> >> As Group_Allowed uses %LOGIN format code it will perfom 407 auth if it >> is used on any line and login is not yet provided, or do 407 >> re-authentication whenever it is last ACL named on a deny line. In order >> to give the user the chance to provide credentials that will pass the >> test. >> >> In this particular config setup use "deny all" instead of "deny >> !Group_Allowed". >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
