Re: [squid-users] squid_ldap_group : need help for setting up time and group restriction ACLs...

On Tue, 14 Dec 2010 15:44:43 +0100, François Bastien <frabas_at_gmail.com>
wrote:
> Hello,
>
> I’m using SQUID 2.7 for Windows and I’m currently facing some
> difficulties to set up the ACL’s we need.
> So, we’re using squid_ldap_auth for authentication and we would like
> to use squid_ldap_group to allow members of the group “unrestricted”
> to have unrestricted access to the web.
> We use an Active Directory (Windows Server 2003).
>
> To sum up, our needs are as follows :
> All users are restricted from specific sites during working hours.
> Specific users (members of the unrestricted group) are not restricted
> at anytime.
>
> The helpers are working and are returning correct values in command
> line. (OK or ERR based on parameters).
> Our squid.conf configuration is as follows :
>
> ############################################
>
> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe -P -R \
>        -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>        -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>        -w "*****" \
>        -f "sAMAccountName=%s" -h "LDAP-HOST" -p "389"
>
> acl authenticated proxy_auth REQUIRED
>
>  external_acl_type ldapgroup %LOGIN
c:/squid/libexec/squid_ldap_group.exe
> \
>        -b "OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>        -f
>
"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,ou=Users,dc=MY,dc=COMPANY,dc=COM))"
> \
>        -D "CN=SQUID,OU=Users,DC=MY,DC=COMPANY,DC=COM" \
>        -w "*****" -h "LDAP-HOST" -p "389"
>
>  # acl that will match users against the active directory group
> “unrestricted”
> acl ldapgroup-unrestricted external ldapgroup unrestricted
>
> # acl for miscellaneous sites unrelated to work we would like to block
> – contents in the unrelated.txt file.
> acl work_unrelated dstdomain -i unrelated.txt

I don't think IANA have released the ".txt" top level domain yet. Also the
domain name "-i" will not be matching anything.

Are these dstdomain format domain names in the file?

>
> # time window for which unrelated websites are allowed to be accessed.
> acl acl_lunchbreak_time time M T W H F 12:00-13:59

The day specifier must not contain spaces AFAIK. ie it should be "MTWHF"

>
> # Denying access to all users except for members of the unrestricted
group
> http_access deny work_unrelated !ldapgroup-unrestricted
>

So where is the allow for the unrestricted group? the next http_access
line below will be to block them as well.

> # Allowing access to work unrelated websites during lunchbreak for
everyone
> http_access deny work_unrelated !acl_lunchbreak_time
>
> http_access allow authenticated
> http_access deny all
>
> ##########################################
>
> So, basically, the time restrictions work fine.

Really? wow. Or did you only test this on a Monday/Friday during work
hours?

> The group restrictions don’t and I’ve been wandering around the net
> for hours and I’m still wondering how to make it work.
>
> It seems my acls are defined properly but probably my http_access
aren’t.
>
> Could you please help me out ?

This is what I would have written (including the ACLs which appear to have
definition problems):

 # acl for miscellaneous sites unrelated to work we would like to block –
contents in the unrelated.txt file.
 acl work_unrelated dstdomain "/full/path/to/unrelated.txt"

 # time window for which unrelated websites are allowed to be accessed.
 acl acl_lunchbreak_time time MTWHF 12:00-13:59

 # allow members of the unrestricted group unrestricted access
 http_access allow ldapgroup-unrestricted
 
 # Allowing access to work unrelated websites during lunchbreak for
everyone
 http_access deny work_unrelated !acl_lunchbreak_time
 
 http_access allow authenticated
 http_access deny all

Amos
Received on Tue Dec 14 2010 - 22:51:45 MST