Re: [squid-users] squid_ldap_group : need help for setting up time and group restriction ACLs...

From: François Bastien <frabas_at_gmail.com>
Date: Wed, 15 Dec 2010 12:48:03 +0100

Hey guys !

Still no luck.

I tried implementing Marcio's settings. It still does not work.

Find below again the lines in my squid.conf :

Marcio Garcia's solution :

acl authenticated proxy_auth REQUIRED
external_acl_type ldapgroup %LOGIN
c:/squid/libexec/squid_ldap_group.exe -b
"OU=Users,DC=MY,DC=COMPANY,DC=COM" -f
"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))"
-D "CN=SQUIDUSER,OU=Users,DC=MY,DC=COMPANY,DC=COM" -w "******" -h
"LDAP-HOST" -p "389"
acl ldapgroup-unrestricted external ldapgroup unrestricted
acl ldapgroup-restricted external ldapgroup restricted
acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt"
acl acl_lunchbreak_time time M T W H F 12:00-13:59

http_access allow ldapgroup-unrestricted work_unrelated
http_access deny ldapgroup-restricted work_unrelated !acl_lunchbreak_time
http_access allow authenticated
http_access deny all

#
This does not work. Everybody has access during working hours. (which
is not good)

Amos' suggestion :

http_access allow ldapgroup-unrestricted
http_access deny work_unrelated !acl_lunchbreak_time
http_access allow authenticated
http_access deny all

#
This still does not work, No one's has access to work_unrelated sites
but i need the unrestricted users to access it.

Sorry to bother you and thanks again.

François

On Wed, Dec 15, 2010 at 11:56 AM, François Bastien <frabas_at_gmail.com> wrote:
> Thank you Amos for your input,
>
> I tried adapting my squid.conf file but users in my "unrestricted"
> group gets denied as well.
>
> I will now try Marcio Garcia's solution to see if it works. but i
> really would like to have only one group to manage.
>
> PS : Amos, i took into account your remarks but in fact my copy paste
> of the file was wrong and i use this setting :
>
> acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt"             #
> Définition des sites non liés au travail
>
> Having spaces between the work days of the time ACL works flawlessly.
> (tested and approved).
>
>
>
>
> On Tue, Dec 14, 2010 at 11:51 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <frabas_at_gmail.com>
>> wrote:
>>> Hello,
>>>
>>> I’m using SQUID 2.7 for Windows and I’m currently facing some
>>> difficulties to set up the ACL’s we need.
>>> So, we’re using squid_ldap_auth for authentication and we would like
>>> to use squid_ldap_group to allow members of the group “unrestricted”
>>> to have unrestricted access to the web.
>>> We use an Active Directory (Windows Server 2003).
>>>
>>> To sum up, our needs are as follows :
>>> All users are restricted from specific sites during working hours.
>>> Specific users (members of the unrestricted group) are not restricted
>>> at anytime.
>>>
>>> The helpers are working and are returning correct values in command
>>> line. (OK or ERR based on parameters).
>>> Our squid.conf configuration is as follows :
>>>
>>> ############################################
>>>
>>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \
>>>        -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>>>        -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>>>        -w "*****" \
>>>        -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389"
>>>
>>> acl authenticated proxy_auth REQUIRED
>>>
>>>  external_acl_type ldapgroup %LOGIN
>> c:/squid/libexec/squid_ldap_group.exe
>>> \
>>>        -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>>>        -f
>>>
>> "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))"
>>> \
>>>        -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>>>        -w "*****" -h "LDAP-HOST" -p "389"
>>>
>>>  # acl that will match users against the active directory group
>>> “unrestricted”
>>> acl ldapgroup-unrestricted external ldapgroup unrestricted
>>>
>>> # acl for miscellaneous sites unrelated to work we would like to block
>>> – contents in the unrelated.txt file.
>>> acl work_unrelated dstdomain -i unrelated.txt
>>
>> I don't think IANA have released the ".txt" top level domain yet. Also the
>> domain name "-i" will not be matching anything.
>>
>> Are these dstdomain format domain names in the file?
>>
>>>
>>> # time window for which unrelated websites are allowed to be accessed.
>>> acl acl_lunchbreak_time time M T W H F 12:00-13:59
>>
>> The day specifier must not contain spaces AFAIK. ie it should be "MTWHF"
>>
>>>
>>> # Denying access to all users except for members of the unrestricted
>> group
>>> http_access deny work_unrelated !ldapgroup-unrestricted
>>>
>>
>> So where is the allow for the unrestricted group? the next http_access
>> line below will be to block them as well.
>>
>>> # Allowing access to work unrelated websites during lunchbreak for
>> everyone
>>> http_access deny work_unrelated !acl_lunchbreak_time
>>>
>>> http_access allow authenticated
>>> http_access deny all
>>>
>>> ##########################################
>>>
>>> So, basically, the time restrictions work fine.
>>
>> Really? wow. Or did you only test this on a Monday/Friday during work
>> hours?
>>
>>> The group restrictions don’t and I’ve been wandering around the net
>>> for hours and I’m still wondering how to make it work.
>>>
>>> It seems my acls are defined properly but probably my http_access
>> aren’t.
>>>
>>> Could you please help me out ?
>>
>> This is what I would have written (including the ACLs which appear to have
>> definition problems):
>>
>>
>>  # acl for miscellaneous sites unrelated to work we would like to block –
>> contents in the unrelated.txt file.
>>  acl work_unrelated dstdomain "/full/path/to/unrelated.txt"
>>
>>  # time window for which unrelated websites are allowed to be accessed.
>>  acl acl_lunchbreak_time time MTWHF 12:00-13:59
>>
>>  # allow members of the unrestricted group unrestricted access
>>  http_access allow ldapgroup-unrestricted
>>
>>  # Allowing access to work unrelated websites during lunchbreak for
>> everyone
>>  http_access deny work_unrelated !acl_lunchbreak_time
>>
>>  http_access allow authenticated
>>  http_access deny all
>>
>>
>> Amos
>>
>
Received on Wed Dec 15 2010 - 11:48:05 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST