Thank you Amos for your input, I tried adapting my squid.conf file but users in my "unrestricted" group gets denied as well. I will now try Marcio Garcia's solution to see if it works. but i really would like to have only one group to manage. PS : Amos, i took into account your remarks but in fact my copy paste of the file was wrong and i use this setting : acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt" # Définition des sites non liés au travail Having spaces between the work days of the time ACL works flawlessly. (tested and approved). On Tue, Dec 14, 2010 at 11:51 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <frabas@xxxxxxxxx> > wrote: >> Hello, >> >> I’m using SQUID 2.7 for Windows and I’m currently facing some >> difficulties to set up the ACL’s we need. >> So, we’re using squid_ldap_auth for authentication and we would like >> to use squid_ldap_group to allow members of the group “unrestricted” >> to have unrestricted access to the web. >> We use an Active Directory (Windows Server 2003). >> >> To sum up, our needs are as follows : >> All users are restricted from specific sites during working hours. >> Specific users (members of the unrestricted group) are not restricted >> at anytime. >> >> The helpers are working and are returning correct values in command >> line. (OK or ERR based on parameters). >> Our squid.conf configuration is as follows : >> >> ############################################ >> >> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \ >> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >> -w "*****" \ >> -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389" >> >> acl authenticated proxy_auth REQUIRED >> >> external_acl_type ldapgroup %LOGIN > c:/squid/libexec/squid_ldap_group.exe >> \ >> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >> -f >> > "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" >> \ >> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >> -w "*****" -h "LDAP-HOST" -p "389" >> >> # acl that will match users against the active directory group >> “unrestricted” >> acl ldapgroup-unrestricted external ldapgroup unrestricted >> >> # acl for miscellaneous sites unrelated to work we would like to block >> – contents in the unrelated.txt file. >> acl work_unrelated dstdomain -i unrelated.txt > > I don't think IANA have released the ".txt" top level domain yet. Also the > domain name "-i" will not be matching anything. > > Are these dstdomain format domain names in the file? > >> >> # time window for which unrelated websites are allowed to be accessed. >> acl acl_lunchbreak_time time M T W H F 12:00-13:59 > > The day specifier must not contain spaces AFAIK. ie it should be "MTWHF" > >> >> # Denying access to all users except for members of the unrestricted > group >> http_access deny work_unrelated !ldapgroup-unrestricted >> > > So where is the allow for the unrestricted group? the next http_access > line below will be to block them as well. > >> # Allowing access to work unrelated websites during lunchbreak for > everyone >> http_access deny work_unrelated !acl_lunchbreak_time >> >> http_access allow authenticated >> http_access deny all >> >> ########################################## >> >> So, basically, the time restrictions work fine. > > Really? wow. Or did you only test this on a Monday/Friday during work > hours? > >> The group restrictions don’t and I’ve been wandering around the net >> for hours and I’m still wondering how to make it work. >> >> It seems my acls are defined properly but probably my http_access > aren’t. >> >> Could you please help me out ? > > This is what I would have written (including the ACLs which appear to have > definition problems): > > > # acl for miscellaneous sites unrelated to work we would like to block – > contents in the unrelated.txt file. > acl work_unrelated dstdomain "/full/path/to/unrelated.txt" > > # time window for which unrelated websites are allowed to be accessed. > acl acl_lunchbreak_time time MTWHF 12:00-13:59 > > # allow members of the unrestricted group unrestricted access > http_access allow ldapgroup-unrestricted > > # Allowing access to work unrelated websites during lunchbreak for > everyone > http_access deny work_unrelated !acl_lunchbreak_time > > http_access allow authenticated > http_access deny all > > > Amos >
