Hello all,
Can somebody help me out on this please ? I am going around in circles :-(
Thanks and regards,
Michael Fuller
----- Original Message -----
From: "Michael Fuller / Hotmail" <fullerms@hotmail.com>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, November 13, 2002 12:22 PM
Subject: Re: [squid-users] HTTP access only foer certain times of the day
> At present, I have three groups.
>
> browsers - Members get to browse at all times.
> lunchbrowsers - Members can browse only between 12:30 to 14:00 hrs,
> Monday to Saturday
> notbrowsers - Members will never get browsing access.
>
> Users will belong only to one of these groups at a time. While the
> objectives for ldap groups browsers and notbrowsers have been achieved,
> lunchbrowsers are not able to access the cache at ALL times.
>
> cache.log is attached for reference.
>
> relevant portions of squid.conf at the time of logging are pasted below
>
> external_acl_type ldapgroup %LOGIN
/usr/local/squid/libexec/squid_ldap_group
> -b "O=Southern Railway" -f "(&(cn=%a)(member=cn=%v,O=Southern
> Railway)(objectClass=groupOfNames))" -h 10.5.2.191
>
>
> acl authenticate proxy_auth REQUIRED
> acl ldap_browse external ldapgroup browsers
> acl ldap_notbrowse external ldapgroup notbrowsers
> acl ldap_lunchbrowse external ldapgroup lunchbrowsers
> acl permit_intranet dst 10.0.0.0/8
>
> acl permit_lunchtime time MTWHFA 9:30-18:00 (modified this so that I can
> test during working hours)
> deny_info ERR_LUNCH_TIME ldap_lunchbrowse
>
> acl no_porn_domain url_regex "/usr/local/squid/blacklists/porn/domains"
> deny_info ERR_NO_PORN no_porn_domain
>
> acl no_warez_domain url_regex "/usr/local/squid/blacklists/warez/domains"
> deny_info ERR_NO_PORN no_warez_domain
>
> acl no_ad_domain url_regex "/usr/local/squid/blacklists/ads/domains"
>
>
>
> http_access allow permit_intranet
> http_access deny no_porn_domain
> http_access deny no_warez_domain
> #http_access deny no_ad_domain
>
> http_access allow ldap_lunchbrowse permit_lunchtime
> http_access allow ldap_browse
> http_access deny ldap_notbrowse
>
> http_access deny all
>
>
>
> Thanks for your patience :-)
>
> Regards,
> Michael Fuller
>
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "Michael Fuller / Hotmail" <fullerms@hotmail.com>
> Cc: <squid-users@squid-cache.org>
> Sent: Tuesday, November 12, 2002 6:08 PM
> Subject: Re: [squid-users] HTTP access only foer certain times of the day
>
>
> > I do not quite make sense of your groups and http_access rules.. can you
> > describe the purpose of each group you have, and if users may belong to
> > multiple groups or only one group?
> >
> > Remember that http_access is a ordered list of rules, and the first rule
> > who fully matches the request tells if the request is to be allowed or
> > denied. If the http_access line does not fully match the request then
> > processing continues on the next line.
> >
> > But your debug logs is very confusing. Does not seem to match the
> > http_access lines you posted, or even make sense.. Have you abbrevated
> > your logs, skipping some "The request .... is ... because it matched
> > ..."??
> >
> > Note: The "The reply for..." messages is irrelevant here. Those are from
> > http_reply_access processing.
> >
> > Regards
> > Henrik
> >
> > tis 2002-11-12 klockan 11.14 skrev Michael Fuller / Hotmail:
> > > Hi all,
> > >
> > > I am trying to implement squid_ldap_group in our network. I want to
> > > construct an acl which will permit a group of users to browse ONLY
> during
> > > 12:30 to 14:00 hrs, Monday to Saturday. However, these users are being
> > > denied access at all times. The relevent lines from squid.conf are
> pasted
> > > below, along with the logs for the ACL.
> >
> > > http_access allow permit_intranet
> > > http_access deny no_porn_domain
> > > http_access deny no_warez_domain
> > > http_access deny no_ad_domain
> > >
> > > http_access allow ldap_lunchbrowse permit_lunchtime
> > > http_access allow ldap_browse
> > >
> > > http_access deny ldap_notbrowse
> > > http_access deny all
> >
>
>
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:31 MST