Hello, I’m using SQUID 2.7 for Windows and I’m currently facing some difficulties to set up the ACL’s we need. So, we’re using squid_ldap_auth for authentication and we would like to use squid_ldap_group to allow members of the group “unrestricted” to have unrestricted access to the web. We use an Active Directory (Windows Server 2003). To sum up, our needs are as follows : All users are restricted from specific sites during working hours. Specific users (members of the unrestricted group) are not restricted at anytime. The helpers are working and are returning correct values in command line. (OK or ERR based on parameters). Our squid.conf configuration is as follows : ############################################ auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \ -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ -w "*****" \ -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389" acl authenticated proxy_auth REQUIRED external_acl_type ldapgroup %LOGIN c:/squid/libexec/squid_ldap_group.exe \ -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" \ -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ -w "*****" -h "LDAP-HOST" -p "389" # acl that will match users against the active directory group “unrestricted” acl ldapgroup-unrestricted external ldapgroup unrestricted # acl for miscellaneous sites unrelated to work we would like to block – contents in the unrelated.txt file. acl work_unrelated dstdomain -i unrelated.txt # time window for which unrelated websites are allowed to be accessed. acl acl_lunchbreak_time time M T W H F 12:00-13:59 # Denying access to all users except for members of the unrestricted group http_access deny work_unrelated !ldapgroup-unrestricted # Allowing access to work unrelated websites during lunchbreak for everyone http_access deny work_unrelated !acl_lunchbreak_time http_access allow authenticated http_access deny all ########################################## So, basically, the time restrictions work fine. The group restrictions don’t and I’ve been wandering around the net for hours and I’m still wondering how to make it work. It seems my acls are defined properly but probably my http_access aren’t. Could you please help me out ? Thank you in advance for your time and answer. Regards, François
