Bug 31003 – squid/auth/allowed_groups weird interpretation in template /etc/univention/templates/files/etc/squid3/squid.conf

Bug 31003 - squid/auth/allowed_groups weird interpretation in template /etc/univention/templates/files/etc/squid3/squid.conf


Summary:	squid/auth/allowed_groups weird interpretation in template /etc/univention/te...

Status:	RESOLVED DUPLICATE of bug 30969

Product:	UCS@school
Classification:	Unclassified
Component:	Proxy services
Version:	UCS@school 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Bugzilla Mailingliste
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-04-09 15:40 CEST by Roman Dietiker
Modified:	2013-04-10 08:48 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Roman Dietiker 2013-04-09 15:40:11 CEST

I had on a UCS 3.1 installation with ucs@school some trouble with the squid proxy. 
I found out that there is a rule called inetusers, and this reference to the file /etc/squid3/allowed_ldap_groups.conf.
Problem, i havent set the variable squid/auth/allowed_groups so the file was empty, but the rule was still in the config.

Therefor, when you unset the variable the template jumps still in the if clause:
if configRegistry.get("squid/auth/allowed_groups") != "":
                print "# Allow access based on ldap group membership"
                ldapGroup = 'external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group'
                ldapGroup += ' -h %s'  % configRegistry.get("ldap/server/name", "")
                ldapGroup += ' -p %d'  % int(configRegistry.get("ldap/server/port", 7389))
                ldapGroup += ' -B "%s"' % configRegistry.get("ldap/base", "")
                ldapGroup += ' -b "%s"' % configRegistry.get("ldap/base", "")
                ldapGroup += ' -D "%s"' % configRegistry.get("ldap/hostdn", "")
                if configRegistry.is_true('squid/ntlmauth'):
                        ldapGroup += ' -S'
                if configRegistry.is_true('squid/krb5auth'):
                        ldapGroup += ' -K'
                ldapGroup += ' -s sub'
                ldapGroup += ' -F "(uid=%s)"'
                ldapGroup += ' -W /etc/squid3.secret'
                ldapGroup += ' -f "(&(objectclass=univentionGroup)(uniqueMember=%u)(cn=%g))"'
                print ldapGroup

                print 'acl inetusers external ldap_group "/etc/squid3/allowed_ldap_groups.conf"'
                print 'http_access deny !inetusers'

Maybe it would be smarter to check if the variable is set at all?

All the best
Roman

Comment 1 Erik Damrose

2013-04-09 15:48:17 CEST

This bug should be fixed in errata84: http://errata.univention.de/3.1-errata84.html

Could you check if it still occurs after installing the update?

Comment 2 Roman Dietiker 2013-04-10 07:47:05 CEST

Yeah is fixed. And everything's working fine.

Comment 3 Erik Damrose

2013-04-10 08:48:59 CEST


*** This bug has been marked as a duplicate of bug 30969 ***