Thank you Amos for your input,
I tried adapting my squid.conf file but users in my "unrestricted"
group gets denied as well.
I will now try Marcio Garcia's solution to see if it works. but i
really would like to have only one group to manage.
PS : Amos, i took into account your remarks but in fact my copy paste
of the file was wrong and i use this setting :
acl work_unrelated dstdomain -i "/etc/squid_dev/work_unrelated.txt" #
Définition des sites non liés au travail
Having spaces between the work days of the time ACL works flawlessly.
(tested and approved).
On Tue, Dec 14, 2010 at 11:51 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <frabas_at_gmail.com>
> wrote:
>> Hello,
>>
>> I’m using SQUID 2.7 for Windows and I’m currently facing some
>> difficulties to set up the ACL’s we need.
>> So, we’re using squid_ldap_auth for authentication and we would like
>> to use squid_ldap_group to allow members of the group “unrestricted”
>> to have unrestricted access to the web.
>> We use an Active Directory (Windows Server 2003).
>>
>> To sum up, our needs are as follows :
>> All users are restricted from specific sites during working hours.
>> Specific users (members of the unrestricted group) are not restricted
>> at anytime.
>>
>> The helpers are working and are returning correct values in command
>> line. (OK or ERR based on parameters).
>> Our squid.conf configuration is as follows :
>>
>> ############################################
>>
>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \
>> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>> -w "*****" \
>> -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389"
>>
>> acl authenticated proxy_auth REQUIRED
>>
>> external_acl_type ldapgroup %LOGIN
> c:/squid/libexec/squid_ldap_group.exe
>> \
>> -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>> -f
>>
> "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))"
>> \
>> -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>> -w "*****" -h "LDAP-HOST" -p "389"
>>
>> # acl that will match users against the active directory group
>> “unrestricted”
>> acl ldapgroup-unrestricted external ldapgroup unrestricted
>>
>> # acl for miscellaneous sites unrelated to work we would like to block
>> – contents in the unrelated.txt file.
>> acl work_unrelated dstdomain -i unrelated.txt
>
> I don't think IANA have released the ".txt" top level domain yet. Also the
> domain name "-i" will not be matching anything.
>
> Are these dstdomain format domain names in the file?
>
>>
>> # time window for which unrelated websites are allowed to be accessed.
>> acl acl_lunchbreak_time time M T W H F 12:00-13:59
>
> The day specifier must not contain spaces AFAIK. ie it should be "MTWHF"
>
>>
>> # Denying access to all users except for members of the unrestricted
> group
>> http_access deny work_unrelated !ldapgroup-unrestricted
>>
>
> So where is the allow for the unrestricted group? the next http_access
> line below will be to block them as well.
>
>> # Allowing access to work unrelated websites during lunchbreak for
> everyone
>> http_access deny work_unrelated !acl_lunchbreak_time
>>
>> http_access allow authenticated
>> http_access deny all
>>
>> ##########################################
>>
>> So, basically, the time restrictions work fine.
>
> Really? wow. Or did you only test this on a Monday/Friday during work
> hours?
>
>> The group restrictions don’t and I’ve been wandering around the net
>> for hours and I’m still wondering how to make it work.
>>
>> It seems my acls are defined properly but probably my http_access
> aren’t.
>>
>> Could you please help me out ?
>
> This is what I would have written (including the ACLs which appear to have
> definition problems):
>
>
> # acl for miscellaneous sites unrelated to work we would like to block –
> contents in the unrelated.txt file.
> acl work_unrelated dstdomain "/full/path/to/unrelated.txt"
>
> # time window for which unrelated websites are allowed to be accessed.
> acl acl_lunchbreak_time time MTWHF 12:00-13:59
>
> # allow members of the unrestricted group unrestricted access
> http_access allow ldapgroup-unrestricted
>
> # Allowing access to work unrelated websites during lunchbreak for
> everyone
> http_access deny work_unrelated !acl_lunchbreak_time
>
> http_access allow authenticated
> http_access deny all
>
>
> Amos
>
Received on Wed Dec 15 2010 - 10:56:14 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST