Hey guys ! Still no luck. I tried implementing Marcio's settings. It still does not work. Find below again the lines in my squid.conf : Marcio Garcia's solution : acl authenticated proxy_auth REQUIRED external_acl_type ldapgroup %LOGIN c:/squid/libexec/squid_ldap_group.exe -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" -D "CN=SQUIDUSER,OU=Users,DC=MY,DC=COMPANY,DC=COM" -w "******" -h "LDAP-HOST" -p "389" acl ldapgroup-unrestricted external ldapgroup unrestricted acl ldapgroup-restricted external ldapgroup restricted acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt" acl acl_lunchbreak_time time M T W H F 12:00-13:59 http_access allow ldapgroup-unrestricted work_unrelated http_access deny ldapgroup-restricted work_unrelated !acl_lunchbreak_time http_access allow authenticated http_access deny all # This does not work. Everybody has access during working hours. (which is not good) Amos' suggestion : http_access allow ldapgroup-unrestricted http_access deny work_unrelated !acl_lunchbreak_time http_access allow authenticated http_access deny all # This still does not work, No one's has access to work_unrelated sites but i need the unrestricted users to access it. Sorry to bother you and thanks again. François On Wed, Dec 15, 2010 at 11:56 AM, François Bastien <frabas@xxxxxxxxx> wrote: > Thank you Amos for your input, > > I tried adapting my squid.conf file but users in my "unrestricted" > group gets denied as well. > > I will now try Marcio Garcia's solution to see if it works. but i > really would like to have only one group to manage. > > PS : Amos, i took into account your remarks but in fact my copy paste > of the file was wrong and i use this setting : > > acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt" # > Définition des sites non liés au travail > > Having spaces between the work days of the time ACL works flawlessly. > (tested and approved). > > > > > On Tue, Dec 14, 2010 at 11:51 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <frabas@xxxxxxxxx> >> wrote: >>> Hello, >>> >>> I’m using SQUID 2.7 for Windows and I’m currently facing some >>> difficulties to set up the ACL’s we need. >>> So, we’re using squid_ldap_auth for authentication and we would like >>> to use squid_ldap_group to allow members of the group “unrestricted” >>> to have unrestricted access to the web. >>> We use an Active Directory (Windows Server 2003). >>> >>> To sum up, our needs are as follows : >>> All users are restricted from specific sites during working hours. >>> Specific users (members of the unrestricted group) are not restricted >>> at anytime. >>> >>> The helpers are working and are returning correct values in command >>> line. (OK or ERR based on parameters). >>> Our squid.conf configuration is as follows : >>> >>> ############################################ >>> >>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \ >>> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >>> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >>> -w "*****" \ >>> -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389" >>> >>> acl authenticated proxy_auth REQUIRED >>> >>> external_acl_type ldapgroup %LOGIN >> c:/squid/libexec/squid_ldap_group.exe >>> \ >>> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >>> -f >>> >> "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" >>> \ >>> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ >>> -w "*****" -h "LDAP-HOST" -p "389" >>> >>> # acl that will match users against the active directory group >>> “unrestricted” >>> acl ldapgroup-unrestricted external ldapgroup unrestricted >>> >>> # acl for miscellaneous sites unrelated to work we would like to block >>> – contents in the unrelated.txt file. >>> acl work_unrelated dstdomain -i unrelated.txt >> >> I don't think IANA have released the ".txt" top level domain yet. Also the >> domain name "-i" will not be matching anything. >> >> Are these dstdomain format domain names in the file? >> >>> >>> # time window for which unrelated websites are allowed to be accessed. >>> acl acl_lunchbreak_time time M T W H F 12:00-13:59 >> >> The day specifier must not contain spaces AFAIK. ie it should be "MTWHF" >> >>> >>> # Denying access to all users except for members of the unrestricted >> group >>> http_access deny work_unrelated !ldapgroup-unrestricted >>> >> >> So where is the allow for the unrestricted group? the next http_access >> line below will be to block them as well. >> >>> # Allowing access to work unrelated websites during lunchbreak for >> everyone >>> http_access deny work_unrelated !acl_lunchbreak_time >>> >>> http_access allow authenticated >>> http_access deny all >>> >>> ########################################## >>> >>> So, basically, the time restrictions work fine. >> >> Really? wow. Or did you only test this on a Monday/Friday during work >> hours? >> >>> The group restrictions don’t and I’ve been wandering around the net >>> for hours and I’m still wondering how to make it work. >>> >>> It seems my acls are defined properly but probably my http_access >> aren’t. >>> >>> Could you please help me out ? >> >> This is what I would have written (including the ACLs which appear to have >> definition problems): >> >> >> # acl for miscellaneous sites unrelated to work we would like to block – >> contents in the unrelated.txt file. >> acl work_unrelated dstdomain "/full/path/to/unrelated.txt" >> >> # time window for which unrelated websites are allowed to be accessed. >> acl acl_lunchbreak_time time MTWHF 12:00-13:59 >> >> # allow members of the unrestricted group unrestricted access >> http_access allow ldapgroup-unrestricted >> >> # Allowing access to work unrelated websites during lunchbreak for >> everyone >> http_access deny work_unrelated !acl_lunchbreak_time >> >> http_access allow authenticated >> http_access deny all >> >> >> Amos >> >
