On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <[email protected]> wrote: > Hello, > > I’m using SQUID 2.7 for Windows and I’m currently facing some > difficulties to set up the ACL’s we need. > So, we’re using squid_ldap_auth for authentication and we would like > to use squid_ldap_group to allow members of the group “unrestricted” > to have unrestricted access to the web. > We use an Active Directory (Windows Server 2003). > > To sum up, our needs are as follows : > All users are restricted from specific sites during working hours. > Specific users (members of the unrestricted group) are not restricted > at anytime. > > The helpers are working and are returning correct values in command > line. (OK or ERR based on parameters). > Our squid.conf configuration is as follows : > > ############################################ > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \ > -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > -w "*****" \ > -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389" > > acl authenticated proxy_auth REQUIRED > > external_acl_type ldapgroup %LOGIN c:/squid/libexec/squid_ldap_group.exe > \ > -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > -f > "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))" > \ > -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \ > -w "*****" -h "LDAP-HOST" -p "389" > > # acl that will match users against the active directory group > “unrestricted” > acl ldapgroup-unrestricted external ldapgroup unrestricted > > # acl for miscellaneous sites unrelated to work we would like to block > – contents in the unrelated.txt file. > acl work_unrelated dstdomain -i unrelated.txt
I don't think IANA have released the ".txt" top level domain yet. Also the domain name "-i" will not be matching anything. Are these dstdomain format domain names in the file? > > # time window for which unrelated websites are allowed to be accessed. > acl acl_lunchbreak_time time M T W H F 12:00-13:59 The day specifier must not contain spaces AFAIK. ie it should be "MTWHF" > > # Denying access to all users except for members of the unrestricted group > http_access deny work_unrelated !ldapgroup-unrestricted > So where is the allow for the unrestricted group? the next http_access line below will be to block them as well. > # Allowing access to work unrelated websites during lunchbreak for everyone > http_access deny work_unrelated !acl_lunchbreak_time > > http_access allow authenticated > http_access deny all > > ########################################## > > So, basically, the time restrictions work fine. Really? wow. Or did you only test this on a Monday/Friday during work hours? > The group restrictions don’t and I’ve been wandering around the net > for hours and I’m still wondering how to make it work. > > It seems my acls are defined properly but probably my http_access aren’t. > > Could you please help me out ? This is what I would have written (including the ACLs which appear to have definition problems): # acl for miscellaneous sites unrelated to work we would like to block – contents in the unrelated.txt file. acl work_unrelated dstdomain "/full/path/to/unrelated.txt" # time window for which unrelated websites are allowed to be accessed. acl acl_lunchbreak_time time MTWHF 12:00-13:59 # allow members of the unrestricted group unrestricted access http_access allow ldapgroup-unrestricted # Allowing access to work unrelated websites during lunchbreak for everyone http_access deny work_unrelated !acl_lunchbreak_time http_access allow authenticated http_access deny all Amos
