[squid-users] squid_ldap_group : need help for setting up time and group restriction ACLs...

From: François Bastien <frabas_at_gmail.com>
Date: Tue, 14 Dec 2010 15:44:43 +0100

Hello,

I’m using SQUID 2.7 for Windows and I’m currently facing some
difficulties to set up the ACL’s we need.
So, we’re using squid_ldap_auth for authentication and we would like
to use squid_ldap_group to allow members of the group “unrestricted”
to have unrestricted access to the web.
We use an Active Directory (Windows Server 2003).

To sum up, our needs are as follows :
All users are restricted from specific sites during working hours.
Specific users (members of the unrestricted group) are not restricted
at anytime.

The helpers are working and are returning correct values in command
line. (OK or ERR based on parameters).
Our squid.conf configuration is as follows :

############################################

auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \
       -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
       -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
       -w "*****" \
       -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389"

acl authenticated proxy_auth REQUIRED

 external_acl_type ldapgroup %LOGIN c:/squid/libexec/squid_ldap_group.exe \
       -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
       -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))"
\
       -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
       -w "*****" -h "LDAP-HOST" -p "389"

 # acl that will match users against the active directory group “unrestricted”
acl ldapgroup-unrestricted external ldapgroup unrestricted

# acl for miscellaneous sites unrelated to work we would like to block
– contents in the unrelated.txt file.
acl work_unrelated dstdomain -i unrelated.txt

# time window for which unrelated websites are allowed to be accessed.
acl acl_lunchbreak_time time M T W H F 12:00-13:59

# Denying access to all users except for members of the unrestricted group
http_access deny work_unrelated !ldapgroup-unrestricted

# Allowing access to work unrelated websites during lunchbreak for everyone
http_access deny work_unrelated !acl_lunchbreak_time

http_access allow authenticated
http_access deny all

##########################################

So, basically, the time restrictions work fine.
The group restrictions don’t and I’ve been wandering around the net
for hours and I’m still wondering how to make it work.

It seems my acls are defined properly but probably my http_access aren’t.

Could you please help me out ?
Thank you in advance for your time and answer.

 Regards,

François
Received on Tue Dec 14 2010 - 14:44:51 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:02 MST