At present, I have three groups.
browsers - Members get to browse at all times.
lunchbrowsers - Members can browse only between 12:30 to 14:00 hrs,
Monday to Saturday
notbrowsers - Members will never get browsing access.
Users will belong only to one of these groups at a time. While the
objectives for ldap groups browsers and notbrowsers have been achieved,
lunchbrowsers are not able to access the cache at ALL times.
cache.log is attached for reference.
relevant portions of squid.conf at the time of logging are pasted below
external_acl_type ldapgroup %LOGIN /usr/local/squid/libexec/squid_ldap_group
-b "O=Southern Railway" -f "(&(cn=%a)(member=cn=%v,O=Southern
Railway)(objectClass=groupOfNames))" -h 10.5.2.191
acl authenticate proxy_auth REQUIRED
acl ldap_browse external ldapgroup browsers
acl ldap_notbrowse external ldapgroup notbrowsers
acl ldap_lunchbrowse external ldapgroup lunchbrowsers
acl permit_intranet dst 10.0.0.0/8
acl permit_lunchtime time MTWHFA 9:30-18:00 (modified this so that I can
test during working hours)
deny_info ERR_LUNCH_TIME ldap_lunchbrowse
acl no_porn_domain url_regex "/usr/local/squid/blacklists/porn/domains"
deny_info ERR_NO_PORN no_porn_domain
acl no_warez_domain url_regex "/usr/local/squid/blacklists/warez/domains"
deny_info ERR_NO_PORN no_warez_domain
acl no_ad_domain url_regex "/usr/local/squid/blacklists/ads/domains"
http_access allow permit_intranet
http_access deny no_porn_domain
http_access deny no_warez_domain
#http_access deny no_ad_domain
http_access allow ldap_lunchbrowse permit_lunchtime
http_access allow ldap_browse
http_access deny ldap_notbrowse
http_access deny all
Thanks for your patience :-)
Regards,
Michael Fuller
----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Michael Fuller / Hotmail" <fullerms@hotmail.com>
Cc: <squid-users@squid-cache.org>
Sent: Tuesday, November 12, 2002 6:08 PM
Subject: Re: [squid-users] HTTP access only foer certain times of the day
> I do not quite make sense of your groups and http_access rules.. can you
> describe the purpose of each group you have, and if users may belong to
> multiple groups or only one group?
>
> Remember that http_access is a ordered list of rules, and the first rule
> who fully matches the request tells if the request is to be allowed or
> denied. If the http_access line does not fully match the request then
> processing continues on the next line.
>
> But your debug logs is very confusing. Does not seem to match the
> http_access lines you posted, or even make sense.. Have you abbrevated
> your logs, skipping some "The request .... is ... because it matched
> ..."??
>
> Note: The "The reply for..." messages is irrelevant here. Those are from
> http_reply_access processing.
>
> Regards
> Henrik
>
> tis 2002-11-12 klockan 11.14 skrev Michael Fuller / Hotmail:
> > Hi all,
> >
> > I am trying to implement squid_ldap_group in our network. I want to
> > construct an acl which will permit a group of users to browse ONLY
during
> > 12:30 to 14:00 hrs, Monday to Saturday. However, these users are being
> > denied access at all times. The relevent lines from squid.conf are
pasted
> > below, along with the logs for the ACL.
>
> > http_access allow permit_intranet
> > http_access deny no_porn_domain
> > http_access deny no_warez_domain
> > http_access deny no_ad_domain
> >
> > http_access allow ldap_lunchbrowse permit_lunchtime
> > http_access allow ldap_browse
> >
> > http_access deny ldap_notbrowse
> > http_access deny all
>
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:18 MST