On Tue, 14 Dec 2010 15:44:43 +0100, FranÃois Bastien <frabas@xxxxxxxxx> wrote: > Hello, > > Iâm using SQUID 2.7 for Windows and Iâm currently facing some > difficulties to set up the ACLâs we need. > So, weâre using squid_ldap_auth for authentication and we would like > to use squid_ldap_group to allow members of the group âunrestrictedâ > to have unrestricted access to the web. > We use an Active Directory (Windows Server 2003). > > To sum up, our needs are as follows : > All users are restricted from specific sites during working hours. > Specific users (members of the unrestricted group) are not restricted > at anytime. > > The helpers are working and are returning correct values in command > line. (OK or ERR based on parameters). > Our squid.conf configuration is as follows : > > ############################################ > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \ > ÂÂ Â ÂÂ-b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > ÂÂ Â ÂÂ-D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > ÂÂ Â ÂÂ-w "*****" \ > ÂÂ Â ÂÂ-f "sAMAccountName=%s" -h "LDAP-HOST" -p "389" > > acl authenticated proxy_auth REQUIRED > > Âexternal_acl_type ldapgroup %LOGIN c:/squid/libexec/squid_ldap_group.exe > \ > ÂÂ Â ÂÂ-b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > ÂÂ Â ÂÂ-f > "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" > \ > ÂÂ Â ÂÂ-D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > ÂÂ Â ÂÂ-w "*****" -h "LDAP-HOST" -p "389" > > Â# acl that will match users against the active directory group > âunrestrictedâ > acl ldapgroup-unrestricted external ldapgroup unrestricted > > # acl for miscellaneous sites unrelated to work we would like to block > â contents in the unrelated.txt file. > acl work_unrelated dstdomain -i unrelated.txt I don't think IANA have released the ".txt" top level domain yet. Also the domain name "-i" will not be matching anything. Are these dstdomain format domain names in the file? > > # time window for which unrelated websites are allowed to be accessed. > acl acl_lunchbreak_time time M T W H F 12:00-13:59 The day specifier must not contain spaces AFAIK. ie it should be "MTWHF" > > # Denying access to all users except for members of the unrestricted group > http_access deny work_unrelated !ldapgroup-unrestricted > So where is the allow for the unrestricted group? the next http_access line below will be to block them as well. > # Allowing access to work unrelated websites during lunchbreak for everyone > http_access deny work_unrelated !acl_lunchbreak_time > > http_access allow authenticated > http_access deny all > > ########################################## > > So, basically, the time restrictions work fine. Really? wow. Or did you only test this on a Monday/Friday during work hours? > The group restrictions donât and Iâve been wandering around the net > for hours and Iâm still wondering how to make it work. > > It seems my acls are defined properly but probably my http_access arenât. > > Could you please help me out ? This is what I would have written (including the ACLs which appear to have definition problems): # acl for miscellaneous sites unrelated to work we would like to block â contents in the unrelated.txt file. acl work_unrelated dstdomain "/full/path/to/unrelated.txt" # time window for which unrelated websites are allowed to be accessed. acl acl_lunchbreak_time time MTWHF 12:00-13:59 # allow members of the unrestricted group unrestricted access http_access allow ldapgroup-unrestricted # Allowing access to work unrelated websites during lunchbreak for everyone http_access deny work_unrelated !acl_lunchbreak_time http_access allow authenticated http_access deny all Amos
