[squid-users] block domains based on LDAP group and force re-authentication every 30 minutes

From: Wim Ramakers <wim.ramakers_at_lucine-os.be>
Date: Mon, 17 Feb 2014 16:45:40 +0100

I’m trying to configure squid3 (on Debian server) to block certain (mostly social media) websites based on the LDAP (age) group the users are in.
The devices are apple ipads, safari is used as web browser, and apps are installed with the Mobile Iron multiuser platform. The device will be shared among users of multiple groups, so i must FORCE the user to reauthenticate every 30 minutes.

The problem we have now is that when a user authenticates correctly, the credentials never expire. For testing purposes I’ve set the ttl to 1 minute now, but after I authenticate a user successfully I never get a new challenge.
My current config:
-----
authenticate_ttl 1 minute

auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 5 minutes
acl ldap-auth proxy_auth REQUIRED

external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=mydomain,dc=eu" -f (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) -h 10.11.12.13
acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar
acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar
acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar
acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar
acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep

acl facebook dstdomain .facebook.com
# Deny access to facebook if not in 18+ or 18- (=16-18)group
http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth
——

I’ve tried also other http_access allow/deny rules, following different tutorials i found online, but that did not change anything.
Can anyone spot the problem in my config, or is it just the ipad that caches the correct credentials and automatically uses these on next challenges?? When it is a caching issue, what other options do i have to force the user to enter his credentials again after a fixed period of time?

Thanks in advance for your help.
Received on Mon Feb 17 2014 - 15:45:50 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 17 2014 - 12:00:05 MST