Re: [squid-users] DENY_INFO question...

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 19 Jan 2004 23:41:10 +0100 (CET)

On Mon, 19 Jan 2004, JJ wrote:

> I am extending an ldap (e-directory) authenticator to give specific
> error codes related to the directory, ie (grace logins, unknown user,
> wrong password, in a denied group, multiple uid's, login hours.....) to
> help our users and help desk understand the exact problem with the auth
> failure.
>
> But, it seems that I can only have one deny_info per acl or
> external_acl.

Correct.

> I was attempting the following (also have tried with an external_acl):
>
> auth_param basic program /etc/squid/dirauth
> acl Allowed proxy_auth REQUIRED
>
> deny_info CUSTOM_ERR_USER_NONEXIST Allowed
> deny_info CUSTOM_ERR_USER_DENIED Allowed
> deny_info CUSTOM_ERR_MULTIPLE_UIDS Allowed
> deny_info CUSTOM_ERR_GRACE_LOGINS Allowed
>
> I get the custom error page CUSTOM_ERR_USER_NONEXIST, when any ERR
> error= is sent.

Correct.

> Is there any way that I can get multiple error codes out of an acl or
> external_acl with a deny_info? Or am I doing something wrong?

To give multiple error codes Squid must know how to distinguish the
different cases.

Note: auth helpers is not the same as external acls. In Squid-3 what you
ask for is implemented for external acls but not for authentication.

For Squid-2 there is a patch to add this kind of functionality to
authentication. <http://devel.squid-cache.org/old_projects.html#authinfo>.
I thought this had been merged into Squid-2.5 and later but it seems so is
not the case and some small but imporant pieces missing in how the auth
helpers is supposed to indicate the reason to Squid.

Regards
Henrik
Received on Mon Jan 19 2004 - 15:41:16 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:07 MST